The Web Blog of Crishantha Nanayakkara
Linux
All blog posts related to LINUX
Mounting and Unmounting Linux EBS volumes on AWS
You may use following Linux commands to try above. If you are new to Linux especially on a cloud infrastructure like AWS, the following would be useful.
AWS Instance Type: Amazon Linux (Redhat version)
1. lsblk – To check all volumes mounted
2. Then use the following to create a file system within the volume created
>> sudo mke2fs /dev/xvdf
3. Mount the created volume to an existing folder
>> sudo mount /dev/xvdf /mnt
4. Now check lsblk. You can see /mnt directory is mounted to /dev/xdvf folder.
5. Now you can copy files to the mounted folder
6. Id you want to unmount the volume you can use the following
>> sudo umount /mnt
Thats it!
Securing Apache with SSL on Ubuntu 14
Prerequisites
$ sudo apt-get update $ sudo apt-get install apache2
Activate the SSL Module
$ sudo a2enmod ssl $ sudo service apache2 restart
Create a Self Signed SSL Certificate
You are required to create a self signed certificate and attach it to the Apache SSL configuration. You may create at any preferred location. Here there are moved to a new directory /etc/apache2/ssl.
$ sudo service apache2 restart $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Configure Apache to use SSL
Edit default-ssl.conf (/etc/apache2/sites-available), file that contains the default SSL configuration.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Activate the SSL Virtual Host
$ sudo a2ensite default-ssl.conf $ sudo service apache2 restart
Test the Virtual Host with SSL
Now you can test the application with https://<your-domain> it should work!
References
Tomcat Startup Script – Ubuntu 14.04 LTS
Environment : Ubuntu 14.04 LTS
Prerequisites: Java and Tomcat installed in your machine/instance. JAVA_HOME should be set already before start.
Step 1: Create a file called “tomcat” under /etc/init.d folder and have the contents as below.
#!/bin/bash
#
# tomcat
#
# chkconfig:
# description: Start up the Tomcat servlet engine.
# Source function library.
TOMCAT_DIR=/home/crishantha/lib/apache-tomcat-7.0.63
case "$1" in
start)
$TOMCAT_DIR/bin/startup.sh
;;
stop)
$TOMCAT_DIR/bin/shutdown.sh
sleep 10
;;
restart)
$TOMCAT_DIR/bin/shutdown.sh
sleep 20
$TOMCAT_DIR/bin/startup.sh
;;
*)
echo "Usage: tomcat {start|stop|restart}" >&2
exit 3
;;
esac
Step 2: Make the script executable
sudo chmod a+x tomcat
Step 3: Test the above script by executing the commands below
sudo ./tomcat start sudo ./tomcat stop
Step 4: Registering the above script as an init script. The following will make sure to execute “start” or “stop” at the system run levels. Generally default start happens on 2 3 4 5 run levels. Default stop happens on 0 1 6 run levels.
sudo update-rc.d tomcat defaults
Step 5: Now reboot the machine/instance to see everything is fine
Creating LXC instances on Ubuntu 14 LTS
Hypervisor Virtualization Vs OS level / Container Virtualization
Unlike hypervisor virtualization, where one or more independent machines run virtually on physical hardware via an intermediation layer, containers instead run user space on top of an operating system’s kernel. As a result, container virtualization is often called operating system-level virtualization.
Container /OS level virtualization, provide multiple isolated Linux environments on a single Linux host. It shares the host OS kernel and make use of the Guest OS system libraries for providing the required OS capabilities.This allows containers to have a very low overhead and to have much faster startup time compared to VMs.
As limitations, containers also been considered as less secure compared to hypervisor virtualization. However countering this argument, containers lack the larger attacker surface compared to full operating systems deployed by the hypervisor virtualization.
The most recent OS level virtualiztion/ containers are considered as OpenVZ, Oracle Solaris Zones, Linux LXCs.
LXC Containers
Linux Container (LXC), is a fast, lightweight, and OS-level virtualization technology that allows us to host multiple isolated Linux systems in a single host.
Installing LXC on Ubuntu 14 LTS
LXC is available on Ubuntu default repositories. Simply type the following for a complete installation.
sudo apt-get install lxc lxctl lxc-templates
To check the successful completion, type
sudo lxc-checkconfig
If everything is fine, it will show something similar to the following
Kernel configuration not found at /proc/config.gz; searching... Kernel configuration found at /boot/config-3.13.0-32-generic --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled File capabilities: enabled Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
Creating LXC
sudo lxc-create -n <container-name> -t <template>
The <template> can be found in the /usr/share/lxc/templates/ folder.
For example, if you need to create an Ubuntu container, you may execute,
sudo lxc-create -n ubuntu01 -t ubuntu
If you want to create an OpenSUSE container you may execute,
sudo lxc-create -n opensuse1 -t opensuse
If you want to create a Centos container, you may execute,
sudo apt-get install yum // This is require as a prerequisite for centos installation sudo lxc-create -n centos01 -t centos
Once created you should be able to list all the LXCs created.
sudo lxc-ls
To list down the complete container information,
sudo lxc-info -n ubuntu01
Starting LXC
Execute following command to start the created containers.
sudo lxc-start -n ubuntu01 -d
Now use the following to log in to the started containers.
sudo lxc-console -n ubuntu01
The default userid/password is ubuntu/ubuntu.
[To exit from the console, press “Ctrl+a” followed by the letter “a”.]
If you need to see the assigned IP address and the state of any created instance,
sudo lxc-ls --fancy ubuntu01
Stopping LXC
sudo lxc-stop -n ubuntu01
Cloning LXC
sudo lxc-stop -n ubuntu01 sudo lxc-clone ubuntu01 ubuntu02 sudo lxc-start -n ubuntu02
Deleting LXC
sudo lxc-destroy -n ubuntu01
Managing LXC using a Web Console
sudo wget http://lxc-webpanel.github.io/tools/install.sh -O - | bash
Then, access the LXC web panel using URL: http://<ip-address>:5000. The default username/password is admin/admin
References:
1. Setting up Multiple Linix System Containers using Ubuntu 14 LTS - http://www.unixmen.com/setting-multiple-isolated-linux-systems-containers-using-lxc-ubuntu-14-04/
2. LXC Complete Guide – https://help.ubuntu.com/12.04/serverguide/lxc.html
3. The Evolution of Linux Containers and Future – https://dzone.com/articles/evolution-of-linux-containers-future
4. Can containers really ship software – https://dzone.com/articles/can-containers-really-ship-software
Generating public-private key pairs with ssh-keygen
2714 days
If you are into enterprise application development, you must have come across the requirement of “generating public-private key pairs”. The purpose can be multiple. Mostly you need this in order to authenticate a desired client.
Usually, for this task you always tend to fall back on tools like keytool or OpenSSL. However, they have the capability not only to create “public-private key pairs”. They have the capability to handle generated keys and certificates in production systems.
However, if you have a simple authentication requirement, using above tools may not be ideal choices. Mainly because there are some other tools, which has the capability to just generate “public-private key pairs” without much hassle. One of the popular choices is the ssh-keygen tool, which is available on Unix/Linux distributions.
For example, If you want to authenticate yourself to a remote server, other than the username-password authentication, you are required to create a “public-private key pair” to authenticate between two entities. (i.e. Authenticating an AWS user to a EC2 instance is a good example) In these scenarios, ssh-keygen can be very handy. After creating the key pair, just send out the public key to any party who is willing to authenticate your machine. That party may add your public key to the server instance. (In Unix like systems, it may be to your .ssh directory of the home folder. Just append the public key to the “authorized_keys” file) Thereafter, just do a “ssh” to the particular remote server/instance specifying the private key as the argument. Thats it!
However, in Windows systems, puttygen is the tool widely being used. However, the public keys, which are extracted from this tool will not work properly while user authentication. The workaround would be to change the format of the public key in the authorized_keys.
For example, the initial public key generated by puttygen can be in the following format,
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-20110829" AAAAB3NzaFDFDFDGEEABJQAAAIEAknX1EwDVO826fSyAxVOkruwwG8AWNjsw4FXz XrN6FClXU7BegOziTlDFDFDGDGGDFGD9ciJkE7LN55CEr9eOcNh16jSd/6a9J38R MQwWUn3UvsrHKMu6qetf1kbP0b77Md4DFDFDFGDFGDyVYZrt7Nw/Q0MtObYdqFVS /4kdfdffS= ---- END SSH2 PUBLIC KEY ----
In this example, just remove the comment lines and EOL characters and add a “ssh-rsa” string to the beginning.
ssh-rsa AB3NzaC1yc2EAAAABJQAAAIEAknX1EwDVO826fSyAxVOkruwwG8AWNjsw4FXzXrN6FClXU7BegOziTlL1jG0oPOHMrxx9ciJ38RMQwWUn3UvsrHKMu6qetf1kbP0b77Md4fJvxgPnxAM6yVYZrt7Nw/Q0MtObYdqFVS/4kx+JM= <user-name>
This will eliminate the authentication issue that you probably had.
Using the Linux “screen” command
If you have a remote Linux machine with ssh access and if you want to run a job that takes a longer period of time, most of the time the ssh session will time out. That means you need a way to execute that job in the background even if your session times out. To facilitate this feature, Linux has the screen command.
How to activate a screen session?
>> screen -a
Then if you want to run the background job, just execute it and use the Ctrl+A+D to get back to your main prompt.
How to check the number of screen sessions available?
>> screen -ls
The answer would be like,
There is a screen on:
10707.pts-0.linuxmachine (Detached)
1 Socket in /var/run/screen/S-root.
How do we go back to a screen session that is already detached by the user?
>> screen -r 10707
(Here the “10707″ refers to the particular screen session ID)
Once you get back to the particular screen session, you can formally get back to the default command prompt by just typing exit.
Reference: http://www.linuxjournal.com/article/6340?page=0,1
