Monthly Archives: June 2013

Install OpenStack nova CLI on MacOS X

1. Check the Python installation. Currently, the nova client does not support Python 3.

$ python -V
Python 2.7.2

2. Install python-novaclient using pip, don’t panic if you already installed python-novaclient using easy_install.

$ sudo easy_install pip
Searching for pip
Best match: pip 1.3.1
Processing pip-1.3.1-py2.7.egg
pip 1.3.1 is already the active version in easy-install.pth
Installing pip script to /usr/local/bin
Installing pip-2.7 script to /usr/local/bin
 
Using /Library/Python/2.7/site-packages/pip-1.3.1-py2.7.egg
Processing dependencies for pip
Finished processing dependencies for pip
 
$ sudo pip install python-novaclient
Requirement already satisfied (use --upgrade to upgrade): python-novaclient in /Library/Python/2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): iso8601>=0.1.4 in /Library/Python/2.7/site-packages/iso8601-0.1.4-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): prettytable>=0.6,<0.8 in /Library/Python/2.7/site-packages/prettytable-0.7.2-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): requests>=0.8 in /Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg (from python-novaclient)
Requirement already satisfied (use --upgrade to upgrade): simplejson in /Library/Python/2.7/site-packages/simplejson-3.3.0-py2.7-macosx-10.8-intel.egg (from python-novaclient)
Cleaning up...

as you can see pip listed python-novaclient in their packages. but you always can delete and reinstall python-novaclient using pip now, or simple use update option.

DNSSEC and possible problems with DNS resolvers

DNSSEC replies are much bigger than traditional DNS answers.
Typical DNS replies fit into the 512-byte standard UDP DNS packet.
So if they get bigger we need EDNS Support.
To test if your DNS Servers can successfully forward bigger
packages you should use OARC’s DNS Reply Size Test Server:

$ dig +short rs.dns-oarc.net txt

If should then output something like this:

;; Truncated, retrying in TCP mode.
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"217.23.92.200 sent EDNS buffer size 4096"
"217.23.92.200 DNS reply size limit is at least 3843"
"Tested at 2013-06-18 19:16:29 UTC"

Explanation can be found here

Enabling DNSSEC on Bind

1. Enable DNSSEC

Update named.conf options section:

options {
 dnssec-enable yes;
 dnssec-validation yes;
};

Also don’t forget add managed-keys section or include bind.keys sullied with bind.
At least ROOT KEY must included to work dnssec validation:

managed-keys {
 # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
 # for current trust anchor information.
 # NOTE: This key is activated by setting "dnssec-validation auto;"
 # in named.conf.
 . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
  FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
  bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
  X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
  W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
  Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
  QxA+Uk1ihz0=";
};

2. Generate Keys

ZSK (Zone Signing Key) is responsible for signing records within a zone. This one will need to be changed frequently (typical recommendation is every month):

$ dnssec-keygen -a RSASHA1 -b 1024 -n ZONE zonename

KSK (Key Signing Key) which can be stronger since you will need to change it less (typically every year):

$ dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK zonename

3. Add keys to zonefile

; Zone Signing Key
$INCLUDE Kzonename.+001+11111.key
; Key Signing Key
$INCLUDE Kzonename.+001+22222.key

4. Sign the Zone

$ dnssec-signzone zonefile
Output is zonefile.signed

5. Validate the zonefile

$ donuts zonefile.signed zonename

6. Publish the signed zone

Update named.conf with signed zonename file:

zone "zonename" {
 file "/etc/bind/zonename/zonefile.signed";
};

7. Testing

$ dig zonename SOA +dnssec +multiline

difference between the ssh-keygen keypair fingerprint and Amazon EC2 fingerprint

we’re have an RSA ssh keypair, and can check it fingerprint

$ ssh-keygen -l -f ~/.ssh/id_rsa.pub
2048 f5:26:50:e6:f6:92:b6:7b:87:4d:64:6c:90:6d:1a:a0  mmalchuk@mmalchuk (RSA)
$ ssh-keygen -l -f ~/.ssh/id_rsa
2048 f5:26:50:e6:f6:92:b6:7b:87:4d:64:6c:90:6d:1a:a0  mmalchuk@mmalchuk (RSA)

now upload this public key into Amazon EC2 cloud:

$ ec2-import-keypair mykeypair --public-key-file ~/.ssh/id_rsa.pub
KEYPAIR	mykeypair	26:f4:9f:a3:f6:0e:4e:31:6c:25:06:9c:eb:4d:cf:ae

ok, key uploaded, but with different fingerprint? no!
ssh-keygen use SHA1 algorithm, but Amazon EC2 uses MD5 instead ;)
let’s check different way:

$ openssl pkey -in ~/.ssh/id_rsa -pubout -outform DER | openssl md5 -c
(stdin)= 26:f4:9f:a3:f6:0e:4e:31:6c:25:06:9c:eb:4d:cf:ae

ok, fine, this is our key uploaded ;)

stable nginx 1.0+ для Debian 6 (squeeze)

наконец то долой “левые” репозитории или ручную сборку nginx !!!

wget -qO - http://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb http://nginx.org/packages/debian/ squeeze nginx" >>/etc/apt/sources.list
apt-get update && apt-get dist-upgrade && apt-get clean

в итоге получаем:

nginx version: nginx/1.4.1
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
 --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
 --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
 --lock-path=/var/run/nginx.lock
 --http-client-body-temp-path=/var/cache/nginx/client_temp
 --http-proxy-temp-path=/var/cache/nginx/proxy_temp
 --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
 --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
 --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx
 --with-http_ssl_module --with-http_realip_module --with-http_addition_module
 --with-http_sub_module --with-http_dav_module --with-http_flv_module
 --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module
 --with-http_random_index_module --with-http_secure_link_module
 --with-http_stub_status_module --with-mail --with-mail_ssl_module
 --with-file-aio --with-ipv6

BILLmanager and number of VDS templates

SELECT p.id, p.name, COUNT(dp.diskimage) AS templates
FROM pricelist p
LEFT JOIN diskimage2pricelist dp
ON p.id=dp.pricelist
WHERE p.type=6
GROUP BY dp.pricelist;
 
+-----+--------------------------------------+-----------+
| id  | name                                 | templates |
+-----+--------------------------------------+-----------+
|  63 | Сервер VDS1 (Базовый)                |        65 |
|  64 | Сервер VDS2 (Стандарт)               |        65 |
|  65 | Сервер VDS3 (Эксперт)                |        65 |
|  66 | Сервер VDS4 (Бизнес)                 |        65 |
|  95 | Сервер VBX1 (Базовый)                |         2 |
|  99 | Сервер VBX2 (Стандарт)               |         2 |
| 103 | Сервер VBX3 (Эксперт)                |         2 |
| 107 | Сервер VBX4 (Бизнес)                 |         2 |
+-----+--------------------------------------+-----------+
8 rows in set (0.00 sec)

MySQL console client tuning

сделаем красивое удобное приглашение

mysql> prompt (\u@\h) [\d] >
PROMPT set to '(\u@\h) [\d] >'
(root@localhost) [database] >

где \u — пользователь, \h — хост и \d — база данных

(root@localhost) [database] >pager less -iMSx4 -FX
PAGER set to 'less -iMSx4 -FX'

тепереь у нас есть удобная навигация стрелочками туда-сюда и влево-вправо ;)

# cat ~/.my.cnf
[client]
default-character-set=utf8
 
[mysql]
pager = 'less -iMSx4 -FX'
prompt = '(\u@\h) [\d] > '

добавим в конфиг чтобы так было всегда. в раздел [mysql] иначе остальные клиенты (mysqldump или mysqladmin) будут ругаться.

MySQL console client and multi-byte output problem

mysql> SELECT 'John Doe' as 'Джон Доу';
+-----------------+
| Джон Доу |
+-----------------+
| John Doe        |
+-----------------+
1 row in set (0.00 sec)
 
mysql> set NAMES utf8;
Query OK, 0 rows affected (0.00 sec)
 
mysql> SELECT 'John Doe' as 'Джон Доу';
+-----------------+
| Джон Доу |
+-----------------+
| John Doe        |
+-----------------+
1 row in set (0.00 sec)

Как видим set NAMES utf8 не помог. оказывается это старая проблема.

# mysql --default-character-set=utf8
 
mysql> SELECT 'John Doe' as 'Джон Доу';
+-----------------+
| Джон Доу        |
+-----------------+
| John Doe        |
+-----------------+
1 row in set (0.00 sec)

создаем конфиг для клиента

# cat ~/.my.cnf
[client]
default-character-set=utf8

Vesta Control Panel

About:

  • open source hosting control panel
  • easy and focused interface
  • innovative web technologies

Features:

  • Web Server
  • DNS server
  • Database Server
  • Mail Server
  • FTP Server
  • Nginx out of the box
  • SSL certificates & SNI
  • Wildcard support
  • Configuration Templates
  • DKIM support
  • Fast Backups
  • System Monitoring
  • AntiSpam / Antivirus
  • WHMCS billing support
  • EPEL integration
  • Simple and Clean GUI
  • Powerfull CLI
  • Reliable Platform
  • Open Data Format
  • GPL v3 License

Install:

# Connect to your server as root via SSH
ssh [email protected]
# Download installation script
curl -O http://vestacp.com/pub/vst-install.sh
# Run it
bash vst-install.sh

Links:
Official site
Habrahabr
Vesta Installation Screencast