CentOS 7. Did you know…?

This post is just a reminder of some things that you may have not noticed when working with CentOS 7. I’ll be updating it from time to time.

• Remember those times when you had to use nohup with a command so it could run on the background even if you closed the shell from where it was launched? That’s no longer needed with CentOS 7, if you have a background job and you close that shell, the process will run! No more nohup needed.
• You can use yum to install locally rpm files you’ve downloaded so dependencies are installed automatically. We used to use yum localinstall but now you can use yum install right away.

OPENVSWITCH LTS IN CENTOS 6

As some visitors have asked me about installing Open vSwitch on CentOS 6, I’m writing the following post after my first about it almos three years ago. If you find a better way, please let me know so I update the post and remove useless info from the Internet 😉

I’ve found this repository by Alexander Evseev so you may try to use the openvswitch packages (you even have the kmod package) found there. Have a look: http://download.opensuse.org/repositories/home:/aevseev/CentOS6/x86_64/

In any case… I’ll show you what you can do to generate your own RPM packages the old way (no python api supported as it requires Python 2.7 while CentOS 6 uses Python 2.6):

Current LTS version: 2.5.0
Tested on: CentOS 6.8

Let’s start installing some packages:

yum -y install wget openssl-devel gcc make python-devel openssl-devel kernel-devel graphviz kernel-debug-devel autoconf automake rpm-build redhat-rpm-config libtool python-twisted-core python-zope-interface PyQt4 desktop-file-utils libcap-ng-devel groff checkpolicy selinux-policy-devel

Let’s add a new user and switch to that user:

adduser ovs; su - ovs

Let’s prepare the build environment and download the source code:

mkdir -p ~/rpmbuild/SOURCES
wget http://openvswitch.org/releases/openvswitch-2.5.0.tar.gz
cp openvswitch-2.5.0.tar.gz ~/rpmbuild/SOURCES/
tar xfz openvswitch-2.5.0.tar.gz

Now go to the openvswitch directory

cd openvswitch-2.5.0

Let’s modify some lines in the old rhel6 spec file provided by Nicira (copy and paste):

sed -i "s/Requires: logrotate, python >= 2.7/Requires: logrotate/" rhel/openvswitch.spec
sed -i "/$RPM_BUILD_ROOT\/usr\/bin\/ovs-test/d" rhel/openvswitch.spec
sed -i "/$RPM_BUILD_ROOT\/usr\/bin\/ovs-l3ping/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-parse-backtrace/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-pcap/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-tcpundump/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-vlan-test/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/man\/man8\/ovs-bugtool.8.gz/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/openvswitch\/bugtool-plugins/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/openvswitch\/scripts\/ovs-bugtool-*/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/openvswitch\/python/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/openvswitch\/scripts\/ovs-bugtool-*/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-dpctl-top/d" rhel/openvswitch.spec
sed -i "/\/usr\/sbin\/ovs-bugtool/d" rhel/openvswitch.spec
echo "/usr/bin/ovs-testcontroller" >> rhel/openvswitch.spec

Finally let’s build the RPM packages… and have a cup of coffee as tests are being run! At least you can tell if it works… 😛

rpmbuild -bb rhel/openvswitch.spec

Once the build is finished, type exit.

exit

CentOS 6 already provides an openvswitch kernel module, so we’ve only compiled the binary tools.

[root@localhost ~]# modinfo openvswitch
filename: /lib/modules/2.6.32-642.3.1.el6.x86_64/kernel/net/openvswitch/openvswitch.ko
license: GPL
description: Open vSwitch switching datapath
srcversion: 00938868C288DBF055E30F3
depends: libcrc32c,vxlan
vermagic: 2.6.32-642.3.1.el6.x86_64 SMP mod_unload modversions

As root, we’ll install the RPM package.

 yum localinstall /home/ovs/rpmbuild/RPMS/x86_64/openvswitch-2.5.0-1.x86_64.rpm -y

Finally, start the openvswitch service and check that it’s running

service openvswitch start
...output...
/etc/openvswitch/conf.db does not exist ... (warning).
Creating empty database /etc/openvswitch/conf.db [ OK ]
Starting ovsdb-server [ OK ]
Configuring Open vSwitch system IDs [ OK ]
Inserting openvswitch module [ OK ]
Starting ovs-vswitchd [ OK ]
Enabling remote OVSDB managers [ OK ]

service openvswitch status
...output...
ovsdb-server is running with pid 3404
ovs-vswitchd is running with pid 3416

If you want the openvswitch service to start at boot time:

chkconfig openvswitch on

Let’s check that the command-line tools are ready:

ovs-vsctl -V
...output...
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Aug 31 2016 19:54:41
DB Schema 7.12.1

Done. I can’t be sure if it will work for you as I haven’t been using Open vSwitch with CentOS 6 for a long time… so any feedback is welcomed!

Cheers!

Installing latest RabbitMQ on CentOS 7

This post is a quick reminder for the future that may help you too.

If you want to install the latest RabbitMQ package for your CentOS 7 you can do it in only three steps:

sudo yum install epel-release -y
sudo curl -s https://packagecloud.io/install/repositories/rabbitmq/rabbitmq-server/script.rpm.sh | sudo bash
sudo yum install rabbitmq-server -y

Then, as always, you can start it and enable the service:

sudo systemctl enable rabbitmq-server
sudo systemctl start rabbitmq-server

Check that the service is running either with:

sudo systemctl is-active rabbitmq-server

or:

sudo systemctl status rabbitmq-server

If serving to remote hosts, a firewalld rule may be useful:

firewall-cmd --add-port=5672/tcp --zone=public --permanent
firewall-cmd --reload

See ya!

Reference: https://www.rabbitmq.com/install-rpm.html

 

Installing CoreOS etcd server on CentOS 7

While I’m preparing a shell script or test some Ansible roles available at Ansible Galaxy so the installation is automatic, here I show you the steps I followed to install by hand the Etcd server on CentOS 7 as quick and fast as possible.

First of all we have to create some directories (/var/lib/etcd and /etc/etcd) and add the etcd user and group

mkdir /var/lib/etcd;mkdir /etc/etcd; groupadd -r etcd; useradd -r -g etcd -d /var/lib/etcd -s /sbin/nologin -c "etcd user" etcd;chown -R etcd:etcd /var/lib/etcd

Now we have to add a systemd service definition for our etcd service

cat << EOT > /usr/lib/systemd/system/etcd.service
[Unit]
Description=etcd service
After=network.target

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
User=etcd
ExecStart=/usr/bin/etcd
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOT

Warning: The etcd service needs a configuration file, we install a really simple one that should be modified according to your needs, e.g add urls with your server’s IP address or DNS names so your server is not only useful for localhost and secure client requests. Read https://github.com/coreos/etcd for more info.

cat << EOT > /etc/etcd/etcd.conf
 # [member]
 ETCD_NAME=default
 ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
 #ETCD_SNAPSHOT_COUNTER="10000"
 #ETCD_HEARTBEAT_INTERVAL="100"
 #ETCD_ELECTION_TIMEOUT="1000"
 #ETCD_LISTEN_PEER_URLS="http://localhost:2380,http://localhost:7001"
 ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"
 ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379"
 #ETCD_MAX_SNAPSHOTS="5"
 #ETCD_MAX_WALS="5"
 #ETCD_CORS=""
 #
 #[cluster]
 #ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380,http://localhost:7001"
 # if you use different ETCD_NAME (e.g. test), set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
 #ETCD_INITIAL_CLUSTER="default=http://localhost:2380,default=http://localhost:7001"
 #ETCD_INITIAL_CLUSTER_STATE="new"
 #ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
 #ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379,http://localhost:4001"
 #ETCD_DISCOVERY=""
 #ETCD_DISCOVERY_SRV=""
 #ETCD_DISCOVERY_FALLBACK="proxy"
 #ETCD_DISCOVERY_PROXY=""
 #
 #[proxy]
 #ETCD_PROXY="off"
 #
 #[security]
 #ETCD_CA_FILE=""
 #ETCD_CERT_FILE=""
 #ETCD_KEY_FILE=""
 #ETCD_PEER_CA_FILE=""
 #ETCD_PEER_CERT_FILE=""
 #ETCD_PEER_KEY_FILE=""
 EOT

Time to download and install etcd binaries for Linux x86_64, the following commands should be good for any Linux distro. It downloads the latest stable version available, creates a directory for any downloaded version and changes the symbolinc link accordingly. It runs etcd with the version argument to check that the binary works fine.

ETCD_VERSION=`curl -s -L https://github.com/coreos/etcd/releases/latest | grep linux-amd64\.tar\.gz | grep href | cut -f 6 -d '/' | sort -u`; ETCD_DIR=/opt/etcd-$ETCD_VERSION; mkdir $ETCD_DIR;curl -L https://github.com/coreos/etcd/releases/download/$ETCD_VERSION/etcd-$ETCD_VERSION-linux-amd64.tar.gz | tar xz --strip-components=1 -C $ETCD_DIR; ln -sf $ETCD_DIR/etcd /usr/bin/etcd && ln -sf $ETCD_DIR/etcdctl /usr/bin/etcdctl; etcd --version

We can enable and start the etcd server with:

systemctl enable etcd; systemctl start etcd

Check etcd service status

systemctl status etcd

● etcd.service – etcd service
Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled)
Active: active (running) since lun 2016-08-01 10:05:51 UTC; 2s ago
Main PID: 31051 (etcd)
CGroup: /system.slice/etcd.service
└─31051 /usr/bin/etcd

ago 01 10:05:51 localhost.localdomain etcd[31051]: ready to serve client requests
ago 01 10:05:51 localhost.localdomain etcd[31051]: serving insecure client requests on localhost:2379, this is strongly discouraged!
ago 01 10:05:51 localhost.localdomain systemd[1]: Started etcd service.

As you may notice there’s a warning about “serving insecure client requests on localhost:2379, this is strongly discouraged!” once again please change the configuration for your needs and set it safely.

I’ll try update this post so you may follow this blog.

Cheers!

Project Atomic – Installing VM with Vagrant, Libvirt and get more space for the /var/lib/docker directory

I’m playing with Project Atomic. I use Vagrant in my Fedora 23 desktop as helps me to increase my productivity when working with VM :D. As I prefer to use libvirt over VirtualBox as my vagrant provider I install the following packages:

sudo dnf install vagrant-libvirt virt-manager

By default the Atomic Host virtual machine has little space for new containers and images (about 2 GB) so if you don’t remove your containers often you’re not going to have much fun. In this post I’m installing the atomic-host and assign more space to the /var/lib/docker directory which is the place our images, containers and other docker files will be stored.

I create the Vagrantfile for the official atomic-host box:

vagrant init centos/atomic-host

Then I edit the Vagrantfile. I’m adding a QCOW2 file that will act as a virtual disk (I’m using 30G). I use as a reference the vagrant-libvirt documentation. I add the following lines after config.vm.box = “centos/atomic-host”

config.vm.provider :libvirt do |libvirt|
   libvirt.storage :file, :size => ’30G’
end

I start the virtual machine:

vagrant up –provider libvirt

In the vagrant up logs I can see that a new 30 GB disk has been added to the virtual machine.

==> default: — Disks: vdb(qcow2,30G)

==>default:– Disk(vdb): /var/lib/libvirt/images/atomichost_default-vdb.qcow2

Now I open a SSH session:

vagrant ssh

I create a partition for the /dev/vdb disk and change type to LVM so I can add more storage in the future easily. Here are shown only the important parts:

sudo fdisk /dev/vdb

…
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1): Press Enter
First sector (2048-62914559, default 2048): Press Enter
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-62914559, default 62914559): Press Enter
Using default value 62914559
Partition 1 of type Linux and of size 30 GiB is set
Command (m for help): t
Selected partition 1
Hex code (type L to list all codes): 8e
Changed type of partition ‘Linux’ to ‘Linux LVM’
Command (m for help): w

The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

Now I’m going to use Logical Volume Management. That way if I need more space in the future I could add a new virtual disk to the logical volume. First I create the physical volume for LVM:

sudo pvcreate /dev/vdb1
Physical volume “/dev/vdb1” successfully created

I create a volume group and add the /dev/vdb1 partition to that volume group:

sudo vgcreate atomic_vg /dev/vdb1

I create a logical volume group and add all the space available in the volume group

sudo lvcreate -l 100%FREE -n atomic_lv atomic_vg

I add a filesystem to the logical volume partition. The logical volume is where I will store all the /var/lib/docker files. I’m using XFS as my filesystem type.

sudo mkfs.xfs /dev/mapper/atomic_vg-atomic_lv

I add an entry to /etc/fstab

sudo sh -c “echo ‘/dev/mapper/atomic_vg-atomic_lv /var/lib/docker xfs defaults 0 0’ >> /etc/fstab”

I stop the docker service so no newer files are copied to the existing /var/lib/docker directory

sudo systemctl stop docker

I mount temporarily the logical volume under /media

sudo mount /dev/mapper/atomic_vg-atomic_lv /media

I copy all the existing files from /var/lib/docker to the logical volume

sudo sh -c “cp -r /var/lib/docker/* /media/”

I umount the logical volume

sudo umount /media

I try to mount the new partition:

sudo mount -a

I check that the new /var/lib/docker is ready

sudo df -kh

Filesystem Size Used Avail Use% Mounted on
…
/dev/mapper/atomic_vg-atomic_lv 30G 33M 30G 1% /var/lib/docker
…

There it is 30 GB for my new images and containers!. Finally I start againt the docker engine service:

sudo systemctl start docker

Well that was long, wasn’t it, but at least I’ve more space to play now!

Note: In case you want to add more space using a new qcow2 after you’ve already run vagrant up, according to this issue,  if you’ve already instantiated the VM with vagrant up, if you change the Vagrantfile to add a new disk (e.g libvirt.storage :file, :size => ’30G’) it won’t work after a vagrant reload, no new virtual disk will be added so alternatively you can halt the virtual machine and use virt-manager to add a new disk and follow the fdisk, pvcreate, mount steps…

Service definition to run Cockpit on system startup for CentOS Atomic SIG

I’m working these days with Project Atomic. You should have a look to the awesome Quickstart guide.

I’ve chosen to use Vagrant with the CentOS Atomic SIG so playing with Project Atomic is really easy (change to virtualbox if using that provider :D)

vagrant init centos/atomic-host; vagrant up –provider libvirt

One of the first things I’ve tested is Cockpit’s web server manager. It’s pretty cool and easy to install following the guide.

Once inside the Project Atomic host, Cockpit’s container is intalled with the following command:

vagrant ssh
sudo atomic run cockpit/ws

Remember, I use this blog so I don’t forget my notes. I’m just sharing with you the service definition needed to run Cockpit on system startup when working with CentOS Atomic SIG and not Fedora’s version which is explained in the source for this post. This file must be placed at /etc/systemd/system/cockpitws.service

[Unit]
Description=Cockpit Web Interface
Requires=docker.service
After=docker.service

[Service]
Restart=on-failure
RestartSec=10
ExecStart=/usr/bin/docker run --rm --privileged --pid host -v /:/host --name %p cockpit/ws /container/atomic-run --local-ssh
ExecStop=-/usr/bin/docker stop -t 2 %p

[Install]
WantedBy=multi-user.target

Then just enable and start the service and the Cockpit container will run and be ready to serve at 9090 port (user vagrant/vagrant or root/vagrant).

sudo systemctl daemon-reload
sudo systemctl enable cockpitws.service
sudo systemctl start cockpitws.service

Cool stuff Project Atomic and Cockpit.

 

 

Installing NGINX on CentOS 7

This a quick note on how to install the latest NGINX server on my CentOS 7, using the pakages provided by the NGINX team.  I share this post as it may help any visitor.

The official info about the official NGINX packages is in NGINX’s site

As root you can add the repository file for mainline version:

cat << EOT > /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/\$basearch/
gpgcheck=0
enabled=1
EOT

If you want to use the stable version you’d execute:

cat << EOT > /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/\$basearch/
gpgcheck=0
enabled=1
EOT

Then just use yum:

yum install -y nginx

And manage the service as usual (start the service, enable it at boot time and check the status):

service start nginx

service enable nginx

service status nginx

If you want to check the version you’ve just installed (e.g I’m using the latest mainline version July/2016):

# nginx -v
nginx version: nginx/1.11.2

And that’s all, just a note for my reference for the future, hope it helps you too 🙂

 

Installing Cobbler in CentOS 7

I’m evaluating Cobbler as my Linux installation and inventory server for my Configuration Management Database. I’ve heard good things about Cobbler and for now I’d like to share my installation steps with you. In this post I’m covering installation for cobbler and cobbler’s web interface.

Note: I’ll be updating this article if I found anything is missing, so please contact me with your feedback so I can add corrections.

Cobbler is available at the EPEL repository:

yum install epel-release -y

We’ll need some packages:

yum install cobbler cobbler-web pykickstart fence-agents xinetd setroubleshoot-server firewalld wget perl-LockFile-Simple perl-IO-Compress perl-Compress-Raw-Zlib perl-Digest-MD5 perl-Digest-SHA perl-Net-INET6Glue perl-LWP-Protocol-https -y

If you want to manage Debian/Ubuntu repositories, the debmirror script must be installed. It’s a perl script which can be downloaded from the Debian repository (look for the most recent version that fits you):

cd /tmp
wget http://ftp.es.debian.org/debian/pool/main/d/debmirror/debmirror_2.20.tar.xz
tar xf debmirror_2.30.tar.xz
cp debmirror/debmirror /usr/bin/

Cobbler uses Apache, and a TFTP server will be run using the xinetd server so we’ll enable and start some systemd services:

systemctl enable cobblerd
systemctl enable httpd
systemctl enable xinetd

systemctl start firewalld

I’ll add a firewall rule so my http and https services are open:

firewall-cmd  --add-service http  --permanent
firewall-cmd  --add-service https --permanent
firewall-cmd --reload

SELinux –> If you follow my blog, you know I like to have SELinux running, so you can skip any block starting with SELinux in bolded letters. We’ll need the following booleans:

setsebool -P httpd_can_network_connect_cobbler 1
setsebool -P httpd_serve_cobbler_files 1

Time to start both Apache and Cobblerd:

systemctl start httpd
systemctl start cobblerd

We can check if cobbler is working:

cobbler --version (two dashes)

Cobbler 2.6.11
source: ?, ?
build time: Sun Jan 24 14:40:17 2016

We’ll need to configure a few things now. Set the IP address, your server will listen on. In my lab, the IP address is 192.168.2.1 so change it accordingly.

sed -i.bak ‘s/server: 127\.0\.0\.1/server: 192\.168\.2\.1/g’ /etc/cobbler/settings

The TFTP server will be started thanks to the Xinetd server:

sed -i.bak ‘/disable/c\\tdisable\t\t\t= no’ /etc/xinetd.d/tftp

systemctl start xinetd

We can download several network boot-loaders:

cobbler get-loaders (to download several network boot-loaders)

We can generate a new default password, choose a passprase and the password you prefer!

openssl passwd -1 -salt ‘A random passphrase, choose yours’ ‘your-password-here’ > /tmp/random_pass

sed -i.bak “/default_password_crypted:/c\default_password_crypted: \”$(cat /tmp/random_pass)\”” /etc/cobbler/settings

Once all the changes have been saved, restart the cobblerd daemon:

systemctl restart cobblerd

Now we can run a check to test if our configuration is good and ready. As I’m using SELinux I don’t care about the warning on “SELinux is enabled”.

cobbler check

The following are potential configuration items that you may want to fix:

1 : SELinux is enabled. Please review the following wiki page for details on ensuring cobbler works correctly in your SELinux environment:
https://github.com/cobbler/cobbler/wiki/Selinux

SELinux –> We have to add a new policy to avoid some SELinux issues.

yum install -y selinux-policy-devel

mkdir /root/policy
cd /root/policy
cat <<EOT > /root/policy/cobbler-web.te
policy_module(cobbler-web, 1.0)

gen_require(\`
type cobblerd_t;
type systemd_unit_file_t;
‘)

allow cobblerd_t systemd_unit_file_t:file getattr;
EOT

make -f /usr/share/selinux/devel/Makefile cobbler-web.pp

semodule -i cobbler-web.pp

Finally open the following URL, in my example my server is called cobbler.artemit.local. Please change your server name or IP address to one that fits your environment:

https://cobbler.artemit.local/cobbler_web

A certificate has been generated for SomeOrganization and it’s valid for 1 year, so deal with your browser’s SSL warning.

The default user is cobbler and the default password is cobbler.

That’s all for now, I’ll write some lines about configuration later, but don’t forget to read the official documentation.

 

CentOS 7 – NTOPNG web interface with SSL

Today we’re going to add SSL to our NTOP installation. This post is divided in two parts and it assumes that ntop is already installed.

If you don’t want to generate your own certificate and use the test certificate offered by ntopng (/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem) be sure you have openssl and openssl-devel and then jump to the second part:

yum install openssl openssl-devel

If openssl-devel is not installed you may have problems starting the SSL server.

————————————————————-

First part – SSL Certificate

Once again, let’s be sure that you’ve openssl and openssl-devel

yum install openssl openssl-devel

Now we’re going to create our own Certification Authority and generate an SSL certificate for my test server: hobbes.artemit.lab. I’ll set no challenge password for the SSL certificate. The commands are shown in bold letters.

mkdir /root/certs

openssl genrsa -out /root/certs/CA.key 2048

Generating RSA private key, 2048 bit long modulus
 ............+++
 .....+++
 e is 65537 (0x10001)


openssl req -x509 -new -nodes -sha256 -extensions v3_ca -key /root/certs/CA.key -days 3650 -out /root/certs/CA.pem


You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Palencia
Locality Name (eg, city) [Default City]:Palencia
Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs
Organizational Unit Name (eg, section) []:n40lab
Common Name (eg, your name or your server's hostname) []:hobbes.artemit.lab
Email Address []:mcabrerizo@artemit.com.es


openssl genrsa -out /root/certs/hobbes.key 2048


Generating RSA private key, 2048 bit long modulus
 ................................+++
 ..+++
 e is 65537 (0x10001)


openssl req -new -sha256 -key /root/certs/hobbes.key -days 3650 -out /root/certs/hobbes.csr

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Palencia
Locality Name (eg, city) [Default City]:Palencia
Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:hobbes.artemit.lab
Email Address []:mcabrerizo@artemit.com.es
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

openssl x509 -req -sha256 -in /root/certs/hobbes.csr -CA /root/certs/CA.pem -CAkey /root/certs/CA.key -CAcreateserial -out /root/certs/hobbes.crt -days 3650

Signature ok
 subject=/C=ES/ST=Palencia/L=Palencia/O=ArtemIT Labs/CN=hobbes.artemit.lab/emailAddress=mcabrerizo@artemit.com.es
 Getting CA Private Key

You should import the CA.pem as a CA Authority in your browser to avoid SSL warnings.

Using https://github.com/ntop/ntopng/blob/dev/doc/README.SSL to help us, we know that we should store the cert in the folder /usr/share/ntopng/httpdocs/ssl and it should be named as ntopng-cert.pem.

You should delete the ntopng-cert.pem test file and the README or move them to a different folder:

rm /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
rm /usr/share/ntopng/httpdocs/ssl/README

Let’s prepare the cert needed by ntopng:

cat /root/certs/hobbes.key /root/certs/hobbes.crt /root/certs/CA.pem > /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem

Let’s change permissions and ownership (nobody is the default user used by ntop after it starts):

chmod 640 /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
chown -R nobody:nobody /usr/share/ntopng/httpdocs/ssl

————————————

Second part – NTOP with SSL

Now it’s time to set the port where we want ntop to listen for SSL connections e.g 3001.

Let’s edit the conf file /etc/ntopng/ntopng.conf so the port is set correctly:

-G=/var/tmp/ntopng.pid\
-W=3001\
--community

Now we restart ntopng and check the status:

systemctl restart ntopng
systemctl status ntopng

ntopng.service - Start/stop ntopng program
 Loaded: loaded (/etc/systemd/system/ntopng.service; enabled)
 Active: active (running) since mié 2015-11-25 11:33:24 CET; 4s ago
 Process: 3887 ExecStop=/etc/systemd/scripts/ntopng stop (code=exited, status=0/SUCCESS)
 Process: 4151 ExecStart=/etc/systemd/scripts/ntopng start (code=exited, status=0/SUCCESS)
 Main PID: 4157 (ntopng)
 CGroup: /system.slice/ntopng.service
 └─4157 /usr/bin/ntopng /etc/ntopng/ntopng.conf
nov 25 11:33:21 hobbes.artemit.lab systemd[1]: Starting Start/stop ntopng program...
nov 25 11:33:24 hobbes.artemit.lab ntopng[4151]: Starting ntopng: 4157
nov 25 11:33:24 hobbes.artemit.lab ntopng[4151]: [ OK ]
nov 25 11:33:24 hobbes.artemit.lab systemd[1]: Started Start/stop ntopng program.

Ok, the server is running

If you like old netstat, you can install the net-tools package  and
run netstat -ntap | grep 3001 to check if ntop is listening:

yum install net-tools
netstat -ntap | grep 3001
 tcp6 0 0 :::3001 :::* LISTEN 4157/ntopng

Perfect, now remember to allow your traffic to port 3001 (or any other port), in my example I allow traffic from any host in my 192.168.1.0/24 network to 3001 port:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="3001" protocol="tcp" accept'

firewall-cmd --reload

And finally we can use the browser to open https://hobbes.artemit.lab:3001 and the web interface for ntopng now runs with SSL:

 

 

 

 

That’s all for now, if you need any help or find any error please let me know.

Enjoy!

 

CentOS 7 – Installing Floodlight

Hi there!,
In the following weeks, I’ll be using the Floodlight controller to develop some code to get a deeper understanding on Software-Defined Networks. In my lab environment I’ll using OpenFlow to configure some OpenVswitch virtual switches.

In this post I’m showing you how I’ve installed Floodlight on my CentOS 7 machine, creating a service, configuring logging and more.

Let’s begin installing some development tools, Git, Java and Ant:

yum group install -y "Development Tools"
yum -y install git
yum install -y java-1.7.0-openjdk ant

We need Floodlight’s source code and then we’ll build it:

cd /opt
git clone git://github.com/floodlight/floodlight.git
cd floodlight/
ant

...
Buildfile: /opt/floodlight/build.xml
init:
...
[jar] Building jar: /opt/floodlight/target/floodlight.jar
...
BUILD SUCCESSFUL
Total time: 50 seconds

Awesome, Floodlight was built succesfully. We’ll now create some directories:

mkdir /var/lib/floodlight
mkdir /etc/floodlight
mkdir /var/log/floodlight/

OpenFlow protocol will use IANA’s reserved port 6653. I’ll add a rule allowing that traffic from my management network 192.168.4.0/24:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.4.0/24" port port="6653" protocol="tcp" accept'

firewall-cmd --reload

Also, if using the REST API (HTTP) or using the web user interface, we’ll need a rule allowing traffic on port 8080. In my lab, I’ll add a rule to allow traffic from my development network 192.168.5.0/24:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.5.0/24" port port="8080" protocol="tcp" accept'

firewall-cmd --reload

Next. Let’s add a user called, guess it? floodlight!, set the JAVA_HOME and change some directories ownership:

useradd floodlight
echo 'export JAVA_HOME=/usr/lib/jvm/jre-openjdk' >> /home/floodlight/.bash_profile 

chown -R floodlight:floodlight /opt/floodlight
chown -R floodlight:floodlight /var/lib/floodlight
chown -R floodlight:floodlight /var/log/floodlight
chown -R floodlight:floodlight /etc/floodlight

Now let’s open a shell using our floodlight user:

su - floodlight

Let’s copy the default floodlight’s properties file to our /etc/floodlight directory:

cp /opt/floodlight/src/main/resources/floodlightdefault.properties /etc/floodlight/

Let’s start Floodlight for the first time, specifying where’s our properties file. If everything is OK we’ll see some info and warning messages:

java -jar /opt/floodlight/target/floodlight.jar -cf /etc/floodlight/floodlightdefault.properties
...
11:00:08.221 INFO [n.f.c.m.FloodlightModuleLoader:main] Loading modules from /etc/floodlight/floodlightdefault.properties
11:00:08.702 WARN [n.f.r.RestApiServer:main] HTTPS disabled; HTTPS will not be used to connect to the REST API.
11:00:08.702 WARN [n.f.r.RestApiServer:main] HTTP enabled; Allowing unsecure access to REST API on port 8080.
11:00:19.552 WARN [n.f.c.i.OFSwitchManager:main] SSL disabled. Using unsecure connections between Floodlight and switches.
...
11:00:19.603 INFO [n.f.c.i.Controller:main] Controller role set to ACTIVE
...
11:00:19.716 INFO [n.f.f.Forwarding:main] Default flow matches set to: VLAN=true, MAC=true, IP=true, TPPT=true
11:00:20.572 INFO [o.s.s.i.r.RPCService:main] Listening for internal floodlight RPC on localhost/127.0.0.1:6642
11:00:20.812 INFO [n.f.c.i.OFSwitchManager:main] Listening for switch connections on 0.0.0.0/0.0.0.0:6653
11:00:20.831 INFO [n.f.l.i.LinkDiscoveryManager:main] Setting autoportfast feature to OFF
11:00:35.997 INFO [n.f.l.i.LinkDiscoveryManager:Scheduled-1] Sending LLDP packets out of all the enabled ports
11:00:37.959 INFO [n.f.j.JythonServer:debugserver-main] Starting DebugServer on :6655

If using the default properties, we’ll now have an active OpenFlow controller with a Forwarding module that allows our virtual switches (if using Floodlight as the controller, of course!) to forward ethernet frames.

As an example, these are information messages when the first switch connects to Floodlight:

11:15:13.041 INFO [n.f.c.i.OFChannelHandler:New I/O worker #11] New switch connection from /192.168.4.2:44893
11:15:13.201 INFO [n.f.c.i.OFSwitchHandshakeHandler:New I/O worker #11] Switch OFSwitchBase DPID[00:00:bc:30:5b:da:eb:60] bound to class class net.floodlightcontroller.core.OFSwitch, description SwitchDescription [manufacturerDescription=Nicira, Inc., hardwareDescription=Open vSwitch, softwareDescription=2.3.1, serialNumber=None, datapathDescription=None]

Once we’ve checked that Floodlight can be started we’ll kill the process using Ctrl-C and close our session.

^C[floodlight@tornasol ~]$ exit

I’m not using floodlight as an interactive user anymore so I’ll remove the shell:

usermod -s /sbin/nologin floodlight

Floodlight by default, will use standard output to write many messages. I want to reduce log level and set a file where logs will be written. Thanks to the information provided by Volkan Yazici and Luca Prete in this Google’s group, these are the steps I’ve followed.

First I create a backup file for the /opt/floodlight/logback.xml file:

cp /opt/floodlight/logback.xml /opt/floodlight/logback.xml.orig

Then I create a new /opt/floodlight/logback.xml file with the following content. Basically I’m reducing the log level so only INFO and WARN messages are sent to /var/log/floodlight/floodlight.log and no messages are sent to standard output:

cat <<EOT > /opt/floodlight/logback.xml
<configuration scan="true">
<appender name="FILE" class="ch.qos.logback.core.FileAppender">
<file>/var/log/floodlight/floodlight.log</file>
<encoder>
<pattern>%date %level [%thread] %logger{10} [%file:%line] %msg%n</pattern>
</encoder>
</appender>
<root level="INFO">
<appender-ref ref="FILE" />
</root>
<logger name="org" level="WARN"/>
<logger name="LogService" level="WARN"/> <!-- Restlet access logging -->
<logger name="net.floodlightcontroller" level="INFO"/>
<logger name="net.floodlightcontroller.logging" level="WARN"/>
</configuration>
EOT

Ok. Now we’ll create a systemd service so Floodlight is started and stopped nicely. I’m specifying where is the configuration file for logback and where’s the properties file.

cat <<EOT > /etc/systemd/system/floodlight.service
[Unit]
Description=FloodLight Service 
After=network.target
[Service]
EnvironmentFile=/etc/sysconfig/floodlight
User=floodlight
WorkingDirectory=/etc/floodlight
ExecStart=/usr/bin/java -Dlogback.configurationFile=/opt/floodlight/logback.xml -jar /opt/floodlight/target/floodlight.jar -cf /etc/floodlight/floodlightdefault.properties
Restart=on-abort
[Install]
WantedBy=multi-user.target
EOT

We’ll create the /etc/sysconfig/floodlight file so we’re sure that the JAVA_HOME environment variable is properly used:

cat <<EOT > /etc/sysconfig/floodlight
JAVA_HOME=/usr/lib/jvm/jre-openjdk
EOT

Let’s cross our fingers. Starting the service and checking status:

systemctl start floodlight.service

systemctl status floodlight.service

Looks good! Let’s enable service start at boot time:

systemctl enable floodlight.service

I think it’s a good idea to add a logrotate.d file so our Floodlight’s log file is rotated. I’ll use libvirtd file as a template to create the /etc/logrotate.d/floodlight file:

/var/log/floodlight/floodlight.log {
weekly
missingok
rotate 4
compress
delaycompress
copytruncate
minsize 100k
}

Finally I’ll check that the web user interface is listening on the 8080 port and that I’ve information about my OpenFlow switches (URL http://x.x.x.x:8080/ui/index.html, use your IP address of course!)

OK. Nice!, now I’m ready to start developing. I’ll post any useful information about Floodlight’s development or usage in my blog, but you should start visiting the official page, as I’m going to do right now 😀

Cheers!