Configuring Proxmox hosts (and other postfix installs) to send email via smarthost

Proxmox uses postfix as its MTA. To configure this to send email via smarthost run

dpkg-reconfigure postfix

For general type we want Satellite

SMTP server - usual

Mailbox size – could use the suggested 51200000 here – should be more than big enough seeing as nothing should be ending up in the system mailbox anyway.

Once this is done, edit ”/etc/aliases”. It should look like:

postmaster: root
nobody: root
hostmaster: root
webmaster: root
www: root

Add a line at the end:

root: Your.Email@example.com

Regenerate the database with ”newaliases” (or possibly ”postalias filename” on other distributions)

Test with something like

echo "test" | mail -s "test mail sent to root" root

Debian 6 (squeeze) to 7 (wheezy) upgrade notes

Networking (firewall related)

Some of the older debian servers are firewalled using a command in the ”/etc/network/interfaces” file to load the iptables rules. For some reason this breaks the file on upgrade to Debian wheezy and the network interfaces don’t come up on boot. To fix, comment or remove the line:

pre-up iptables-restore < /etc/iptables.conf

and use the iptables-persistent package instead.

Also gives an error on

INPUT -i ! lo

Need to change to

INPUT ! -i lo

(To be fair, this has been deprecated for a while now)

Suhosin

php5-suhosin has been removed from wheezy. The upgrade sort of removes it, but it hangs around as a remove candidate package. Following http://pc-freak.net/blog/how-to-get-rid-of-php-warning-php-startup-unable-to-load-dynamic-library-usrlibphp520090626suhosin-so-on-debian-gnu-linux/ we check the package status with

dpkg -l | grep -i suhosin

and remove with

dpkg --purge php5-suhosin

This seems to fix the problem (don’t get emailed every so often by cron about it missing)

For next upgrade should remove it first.

Kernel

Make sure the generic kernel package is installed – have tended to choose the specific one in the past for no good reason.

apt-get install linux-image-amd64

This should ensure the 3.2 kernel is installed as part of the upgrade.

Yumex setup on Fedora 17 LDXE

Yumex (I’ll probably remove it later, but it might be handy for removing cruft) complains that it can’t download stuff and bombs out. Even if yum proxy has been set and yum is working.

To fix, edit ”/etc/yumex.conf” and add the proxy in:

proxy = "http://your.cache.address:port"

The quotes are required!

Some information about the grub font error at http://unsolicitedbutoffered.blogspot.co.uk/2012/06/fedora-17-lxde-review-just-facts-mam.html

Migration of virtual machines from Proxmox 1.9 to 2.1

Procedure

  1. Create a storage area that both clusters can see (e.g. NFS on freenas box)
  2. Backup VM from 1.9 system to backup area.
  3. SSH to backup area and move backup tgz file from root of share (where 1.9 backs up) to dump directory (should have been created by connecting 2.1).
  4. Restore from backup in 2.1 (may want to keep the same VMID, to avoid inconsistent disk image numbers)
  5. Change hardware if required (VM won’t start if pointing to non-existent CD image, change network to appropriate bridge)

Network interface in Windows VMs

Not sure at moment whether changing the bridge affects anything, or whether it’s just due to the migration, but windows sees the network interface as a new device, so sets it using DHCP. Check via console!

More Proxmox 2.1 setup notes – corosync

Way to change primary interface – edit /etc/hosts to change ip address returned when cman does lookup of system hostname.

e.g.

127.0.0.1 localhost.localdomain localhost
192.168.40.6 Hildasay.physics.gla.ac.uk Hildasay pvelocalhost

# The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

With this config cman will return 192.168.40.6 as the address totem should bind to for it’s multicast stuff.

There may be certificate problems doing this. Probably best in future to install proxmox with the initial interface on the SAN (or other appropriate private network).

Proxmox 2.1 setup notes

Proxy

In addition to the web interface setting (for the cluster), need to configure aptitude as well. Add to somewhere appropriate (e.g. /etc/apt/apt.conf.d/70debconf)

Acquire::http::Proxy "http://wwwcache.gla.ac.uk:8080";
Acquire::ftp::Proxy "http://wwwcache.gla.ac.uk:8080";

 Time

Have to set up NTP on each system as before. Edit /etc/ntp.conf to add:

server login.physics.gla.ac.uk iburst

and restart the service

/etc/init.d/ntp restart

Check with ntpq -p , output will look something like:

remote refid st t when poll reach delay offset jitter
==============================================================================
*puck.physics.gl 130.159.196.117 3 u 41 64 17 0.244 0.154 0.115
s02.be.it2go.eu .STEP. 16 u - 64 0 0.000 0.000 0.000
utl-ntp.evo.hlm .STEP. 16 u - 64 0 0.000 0.000 0.000
218-32-169-193. .STEP. 16 u - 64 0 0.000 0.000 0.000
wan1.dgeb.info .STEP. 16 u - 64 0 0.000 0.000 0.000

Time needs to be reasonably accurate before attempting cluster join!

Cluster

Instructions at http://pve.proxmox.com/wiki/Proxmox_VE_2.0_Cluster

Quick guide

Login to the a node. To create cluster:

pvecm create YOUR-CLUSTER-NAME

Use a unique name. This name cannot be changed later!

To check the state of cluster:

pvecm status

To add a node, log in to that node and run:

pvecm add IP-ADDRESS-CLUSTER

Where the address is that of one of the existing cluster nodes. It will ask for the root password of the node you are connecting to.

Remember to add the new node’s address to nfs shares etc.

CentOS setup for Subversion Edge

N.B. Gave up on this – taking too much time and effort for something that would require some command line admin anyway – such as the mailer configuration. Will go back to purely standard setup on Debian like existing servers.

Minimum setup

Network

To get network going edit ifcfg-eth0  in /etc/sysconfig/network-scripts/

Need to use vi for this – minimal install doesn’t have anything else.

DEVICE="eth0"
NM_CONTROLLED=no
ONBOOT=yes
HWADDR=6E:89:F7:F2:8B:47
TYPE=Ethernet
BOOTPROTO=none
IPADDR=130.209.45.49
NETMASK=255.255.255.0
GATEWAY=130.209.45.1
DNS1=130.209.4.16
DNS2=130.209.4.18
DNS3=130.209.16.6
DOMAIN=physics.gla.ac.uk
IPV6INIT=no
NAME="System eth0"
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03

The UUID here was put in by the GUI network setup, as was some of the other stuff. The Minimum required is IPADDR, BOOTPROTO (maybe?), NETMASK, GATEWAY, DNS1(2,3,etc).

To edit file with vi:

vi filename
i (insert mode)
ESC (command mode)
😡 (Exit, saving changes)
:q! (Exit and ignore any changes)

vi cheat sheet at http://www.lagmonster.org/docs/vi.html

Enable network with service network start

Edit /etc/yum/conf to include the line

proxy=http://wwwcache.gla.ac.uk:8080/

then yum update to update system. Then use yum install packagename to install other stuff, like nano, ntp etc.

Install sudo. seems to want it.

Firewall

Install system-config-firewall-tui using yum and run it.

Java

yum install java-1.6.0-openjdk

Set environment variable by creating a file in /etc/profile.d/

export JAVA_HOME=/usr/lib/jvm/jre

(if the install worked properly /usr/lib/jvm/jre should be a symlink to /etc/alternatives/jre which in turn should link to the actual jre, e.g./usr/lib/jvm-exports/jre-1.6.0-openjdk.x86_64)

Python

Python should be installed. Apparently need to install python-ldap though.

User

Create user with:

useradd username -p password

Install

Create directory, e.g.

mkdir /export0/subversion_edge
chown subversion:subversion /export0/subversion_edge/

Put the downloaded file in subversion user’s directory, switch to the user and extract the file

tar -zxvf CollabNetSubversionEdge-3.1.0_linux-x86_64.tar

change back to root (su -) and:

[root@unst ~]# /export0/subversion_edge/csvn/bin/csvn install
Detected RHEL or Fedora:
 Installing the CSVN Console daemon..
Setting RUN_AS_USER to: 'root'. Please edit '../data/conf/csvn.conf' if this needs to be adjusted
Setting JAVA_HOME to: '/usr/lib/jvm/jre'. Please edit '../data/conf/csvn.conf' if this needs to be adjusted.

Edit the csvn.conf file to change the RUN_AS_USER. Can also set the proxy here.

Change back to the subversion user and start the system

/export0/subversion_edge/csvn/bin/csvn start

After a minute or so should be able to access the console at http://servername:3343/csvn or https://servername:4434/csvn/

For troubleshooting this gives you the startup messages:

csvn console

Starting svn server on port 80 or 443

To allow the non-privileged user to bind to ports < 1024 there are some tweaks required. Either:

  1. Give root ownership of the httpd_bind utility to allow it to start the server from init.d, or
  2. edit sudoers to give allow subversion user to start apache

When you set a port < 1024 in the web interface for the svn server it will complain and show the commands required to make it work, for both options. I chose the httpd_bind route.

 chown root:subversion /export0/subversion_edge/csvn/lib/httpd_bind/httpd_bind
 chmod u+s /export0/subversion_edge/csvn/lib/httpd_bind/httpd_bind

https://ctf.open.collab.net/sf/go/artf5095?nav=1&selectedTab=comments

Setting daemons to start

To start the console and the svn/httpd services on boot:

csvn/bin/csvn install
csvn/bin/csvn-httpd install

LDAP on Debian setup notes

LDAP server package is slapd. LDAP command-line stuff gets installed along with it.

First database is set up automatically – only requirement is admin password. Root DN is taken from host IP domain name – so get dc=physics,dc=gla,dc=ac,dc=uk if not careful. And with OpenLDAP there’s no easy way to delete databases.

Browsers

Web-based

phpLDAPadmin works reasonably well as a server-based browser. Needs Apache. This template gives you users with the RDN set to uid rather than cn, and email entry.

Note that for this to work you need an existing group and user with numbers set, otherwise the autonumber logic doesn’t work. Or the template could be modified to let you enter them directly.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
 
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>uid</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Custom: User Account with Email</title>
<visible>1</visible>
 
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
 
<attributes>
<attribute id="givenName">
	<display>First name</display>
	<icon>ldap-uid.png</icon>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<order>1</order>
	<page>1</page>
</attribute>
<attribute id="sn">
	<display>Last name</display>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%uid|0-1/l%/%uid%)</onchange> -->
	<order>2</order>
	<page>1</page>
</attribute>
<attribute id="cn">
	<display>Common Name</display>
	<order>3</order>
	<page>1</page>
</attribute>
<attribute id="uid">
	<display>User ID</display>
	<onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
	<order>4</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
	<display>Home directory</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>8</order>
	<page>1</page>
</attribute>
<attribute id="uidNumber">
	<display>UID Number</display>
	<icon>terminal.png</icon>
	<order>6</order>
	<page>1</page>
	<readonly>1</readonly>
	<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
	<display>GID Number</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>7</order>
	<page>1</page>
	<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
	<display>Login shell</display>
	<order>9</order>
	<page>1</page>
	<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
	<type>select</type>
	<value id="/bin/sh">/bin/sh</value>
	<value id="/bin/csh">/bin/csh</value>
	<value id="/bin/tsh">/bin/tsh</value>
</attribute>
<attribute id="userPassword">
	<display>Password</display>
	<!-- <helper>
		<display>Encryption</display>
		<id>enc</id>
		<value>=php.PasswordEncryptionTypes()</value>
	</helper> -->
	<icon>lock.png</icon>
	<order>5</order>
	<page>1</page>
	<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
	<spacer>1</spacer>
	<verify>1</verify>
</attribute>
<attribute id="mail">
	<display>Email</display>
	<order>10</order>
	<page>1</page>
</attribute>
</attributes>
 
</template>

 Windows

There are a few browsers that work with Windows. JXplorer is cross platform – couldn’t get it to work on Win7 x64 with Java 7. Trying out LDAP Admin which looks quite nice

 Firewall Setup

Using usual setup – following the guide at http://www.medorion.net/p/19.xhtml edit the /etc/network/interfaces file to include the command pre-up iptables-restore < /etc/iptables.conf just after the loopback stuff (why? dunno) so the file looks something like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
...
*filter
 
# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT
 
# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# This allows all outbound traffic
-A OUTPUT -j ACCEPT
 
# Allow SSH and pings from Physics subnets only
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSONLY
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSONLY
 
# Allow HTTP(S) from anywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
 
# Allow LDAP(S) queries from Physics only
-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY
 
# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT
 
COMMIT