OpenNebula’s Marketplace – VyOS 1.1.5 Helium OS image for KVM

Hi,
I’ve uploaded an image at OpenNebula’s marketplace with the latest VyOS 64 bits stable version called Helium for KVM. If you need help or have questions please send me your comment or contact me through my personal website.

Soon I’ll published a post in OpenNebula’s blog about VyOS.

Cheers!

Published on OpenNebula’s Blog – Securing Sunstone’s NoVNC connections with Secure Websocket and your own Certificate Authority

Hi,
from now on I’ll publish new posts about OpenNebula in the OpenNebula’s blog.

Here I link the following post about securing NoVNC connections. Hope you find it useful and I’d like to send a big thank you to the OpenNebula team

Cheers!

CentOS 7 – Installing NGINX + Phusion Passenger

Update: Please read the instructions provided by the Phusion Passenger developers for a detailed and updated how-to.

Today, I’m sharing with you how I’ve installed NGINX and Phusion Passenger in my CentOS 7 lab using the RPM packages provided kindly by Ulyaoth.  Phusion Passenger offers an installer (passenger-install-nginx-module) that helps you to install NGINX and Passenger easily and in five minutes, but Ulyaoth’s sbagmeijer does an impressive work packaging so many useful tools and servers and it’s always a good idea to use RPMs.

We’ll start configuring the EPEL and Ulyaoth repositories:

cat <<EOT > /etc/yum.repos.d/uylaoth.repo
[ulyaoth]
name=Ulyaoth Repository
baseurl=https://repos.ulyaoth.net/CentOS/\$releasever/\$basearch/
enabled=1
gpgcheck=1
gpgkey=https://raw.githubusercontent.com/sbagmeijer/ulyaoth/master/Repository/ulyaoth/SOURCES/RPM-GPG-KEY-ulyaoth
EOT

yum install -y epel-release

Now we’ll install the nginx-passenger package from the Ulyaoth repository:

yum install -y ulyaoth-nginx-passenger5

We’ll set the server name in the /etc/nginx/conf.d/default.conf file:

server_name tornasol.artemit.local;

We’ll change the following line in the /etc/nginx/conf.d/passenger.conf

passenger_instance_registry_dir /var/run/passenger;

We’ll add the following line in the /root/.bash_profile file to add a new environment var needed by passenger-status (remember to open a new session to load the new var :-D):

echo 'export PASSENGER_INSTANCE_REGISTRY_DIR=/var/run/passenger' >> /root/.bash_profile

We’ll create the /var/run/passenger directory and set permissions and ownership:

mkdir /var/run/passenger
chmod -R 755 /var/run/passenger
chown -R nginx:nginx /var/run/passenger

We’ll add the following config file so /var/run/passenger temporary directory is created after a system restart:

cat <<EOT > /etc/tmpfiles.d/passenger.conf
d /var/run/passenger 0755 nginx nginx
EOT

We should add a rule to the firewall allowing http traffic:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="80" protocol="tcp" accept'

firewall-cmd --reload

We should enable the service to start at boot time:

systemctl enable nginx.service

Finally we’ll start the service and check that it’s running (we’ll see nginx and Passenger binaries):

systemctl start nginx.service

systemctl status nginx.service

[...]
nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled)
Active: active (running) since vie 2015-04-03 12:41:52 CEST; 8s ago
...
CGroup: /system.slice/nginx.service
├─20924 PassengerAgent watchdog
├─20927 PassengerAgent server
├─20932 PassengerAgent logger
├─20942 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─20944 nginx: worker process
[...]

And don’t forget to test your NGINX server listening by default in port 80:

Of course if you’re using SELinux you may run the following commands.

yum install -y policycoreutils-python

We’ll change the context for the root html directory (we set read and write permissions, you can set readonly permissiones using httpd_sys_content_t instead) :

semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html(/.*)?"
restorecon -Rv /usr/share/nginx/html

We’ll change the context for the passenger log directory :

semanage fcontext -a -t httpd_log_t "/var/log/passenger(/.*)?"
restorecon -Rv /var/log/passenger

We’ll change the context for the PassengerAgent binary:

semanage fcontext -a -t httpd_exec_t "/etc/nginx/modules/passenger/buildout/support-binaries/PassengerAgent"
restorecon -v /etc/nginx/modules/passenger/buildout/support-binaries/PassengerAgent

We’ll change the context for Passenger’s native support:

semanage fcontext -a -t httpd_exec_t /etc/nginx/modules/passenger/buildout/ruby/ruby-2.0.0-x86_64-linux/passenger_native_support.so
restorecon -v /etc/nginx/modules/passenger/buildout/ruby/ruby-2.0.0-x86_64-linux/passenger_native_support.so

We’ll change the context for passenger-status and passenger-memory-stats:

semanage fcontext -a -t bin_t "/etc/nginx/modules/passenger/bin/passenger-memory-stats"
semanage fcontext -a -t bin_t "/etc/nginx/modules/passenger/bin/passenger-status"
restorecon -v /etc/nginx/modules/passenger/bin/passenger-memory-stats
restorecon -v /etc/nginx/modules/passenger/bin/passenger-status

We’ll set the following SELinux boolean variables:

setsebool -P httpd_run_stickshift 1
setsebool -P httpd_setrlimit 1
setsebool -P httpd_tmp_exec 1

We’ll add an SELinux policy so PassengerAgent runs fine:

yum install -y policycoreutils-devel

mkdir /root/policy
cd /root/policy

cat < /root/policy/passengeragent.te
policy_module(passengeragent, 1.0)
gen_require(\`
type httpd_t;
type httpd_tmp_t;
type httpd_var_run_t;
type kernel_t;
class capability2 block_suspend;
class capability sys_ptrace;')

allow httpd_t self:capability2 block_suspend;
allow httpd_t self:capability sys_ptrace;
allow httpd_t httpd_tmp_t:file execute;
allow httpd_t httpd_var_run_t:file execute;
EOT

make -f /usr/share/selinux/devel/Makefile passengeragent.pp

semodule -i passengeragent.pp

And that’s all, I hope this post helps you and I wait for your feedback about errors and suggestions.

Thanks for reading!