bsd.m3th.org
Yet another *nix admin blog

I have been working on parallel round-robin web clusters (is this the right term?) using 2 x FreeBSD 7.1 AMD64 boxes, nginx (patched with fair upstream), apache + php (backend), glusterfs, tinydns (sitting on another box, a name server, for round robin A record) and mysql multi-master replication. The setup is mainly making use of round-robin replication concept. Although I have yet fully hammered the configuration, it was pretty impressive and secure.

Glusterfs and mysql replicate with SSL. Nginx with SSL. These, however, are slightly at the expense of CPU and performance. I can live it that though.

The write-up of the setup is in progress as I am quite tied up with my day job, HeX project and glusterfs 2.0 ports for FreeBSD. Hopefully, I can manage the time well to complete all these. Nevertheless, here is partial (optional) write-up for glusterfs replication with SSL.

Note: server1 and server2 denote the FreeBSD clusters.

1) Installing required software
Most of the software except glusterfs (not in the freebsd ports as of this posting) is available via the FreeBSD ports. I’m aware of that TimurBakeyev is working on glusterfs ports.

# cd /usr/ports/security/stunnel && make install clean

2) Creating SSL certs (on either of the box)
Generally, it is easier to manage all certs/keys generation on a single box and duplicate required certs to the rest of the boxes. But YMMV. Commonly, cacert.pem and cert/key generated are copied.

2.1) For the impatient
Just create the certificate in 1 liner. Remember to modify the content of “-subj”.

# openssl req -new -outform PEM -out /etc/ssl/stunnel-cert.pem -newkey rsa:1024 \
-nodes -keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -x509 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'

2.2) For the patient
Creating necessary directories for ssl with the following commands.

# mkdir /etc/ssl/newcerts
# mkdir /etc/ssl/private
# echo '01' >/etc/ssl/serial
# touch /etc/ssl/index.txt

Next, let’s generate a CA. You will be prompted with questions of your country, state, location etc and password for the CA key.

# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem \
-out /etc/ssl/cacert.pem -days 3650 -config /etc/ssl/openssl.cnf

Generating a cert request for stunnel

# openssl req -outform PEM -out /etc/ssl/server-req.pem -newkey rsa:1024 -nodes \
-keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'

Lastly using the CA key to sign the cert.

# openssl ca -in /etc/ssl/stunnel-req.pem -notext -out /etc/ssl/stunnel-cert.pem

3) Modifying stunnel rc.d for stunnel running client mode
The rc.d startup for stunnel is meant for running either server or client mode only. I need both modes here. Thus, a quick replication of stunnel rc.d to run another client mode instance of stunnel. I named it /usr/local/etc/rc.d/stunnelc.

#!/bin/sh
#
# $FreeBSD: ports/security/stunnel/files/stunnel.in,v 1.9 2008/01/26 14:18:12 roam Exp $
#

# PROVIDE: stunnelc
# REQUIRE: NETWORKING SERVERS
# BEFORE: DAEMON glusterfs
# KEYWORD: shutdown

#
# Add some of the following variables to /etc/rc.conf to configure stunnel:
# stunnelc_enable (bool):        Set to "NO" by default.
#                               Set it to "YES" to enable stunnel.
# stunnelc_config (str):         Default "/usr/local/etc/stunnel/stunnel-client.conf"
#                               Set it to the full path to the config file
#                               that stunnel will use during the automated
#                               start-up.
# stunnelc_pidfile (str):        Default "/var/tmp/stunnel/stunnel-client.pid"
#                               Set it to the value of 'pid' in
#                               the stunnel.conf file.
#

. /etc/rc.subr

name="stunnelc"
rcvar=`set_rcvar`

load_rc_config $name

: ${stunnelc_enable="NO"}
: ${stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"}
: ${stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"}
procname="/usr/local/bin/stunnel"
command="/usr/local/bin/stunnel"
command_args=${stunnelc_config}
pidfile=${stunnelc_pidfile}

required_files="${stunnelc_config}"

run_rc_command "$1"

4) glusterfs vol configuration
In this setup, glusterfsd is listening on lo0 127.0.0.1 port 6996 and stunnel server listening on em0 (net facing nic) port 8996. Stunnel client, on the other hand, is listening on 127.0.0.1 port 7996, forwarding to remote host on port 8996. Glusterfs client mount volume which is on 127.0.0.1 port 6996 and 7996 (which is tunneled to port 8996 of remote host). Refer to the configurations below:-

i) stunnel-server.conf.

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996

ii) stunnel-client.conf.

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996

Auth login was used due to privileged port ceiling of 1024 imposed by auth addr method. Auth login method care less about privileged port ceiling.

Please refer to
http://www.gluster.org/docs/index.php/GlusterFS_Encrypted_network
http://www.gluster.org/docs/index.php/Translators_v2.0#auth.login

As I’m still working on glusterfs 2.0 ports, you can use the rc.d scripts that I have completed glusterfs and glusterfsd.

APPENDIX

Configuration files on server1

I) /etc/rc.conf

fusefs_enable="YES"
glusterfsd_enable="YES"
glusterfs_enable="YES"
glusterfs_mount="/usr/home/www"
stunnel_enable="YES"
stunnel_config="/usr/local/etc/stunnel/stunnel-server.conf"
stunnel_pidfile="/var/tmp/stunnel/stunnel-server.pid"
stunnelc_enable="YES"
stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"
stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"

II) Stunnel configuration for glusterfsd (/usr/local/etc/stunnel/stunnel-server.conf)

cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-server.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem

output = /var/log/stunnel.log

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996

III) Stunnel configuration for glusterfs (/usr/local/etc/stunnel/stunnel-client.conf)

cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-client.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem
output = /var/log/stunnelc.log
client = yes

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996

IV) Glusterfs client configuration (/usr/local/etc/glusterfs/glusterfs.vol)

volume remote1
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 6996
  option remote-subvolume brick
end-volume

volume remote2
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 7996
  option username yourusername
  option password yourpassword
  option remote-subvolume brick
end-volume

volume replicate
  type cluster/replicate
  subvolumes remote1 remote2
end-volume

volume writebehind
  type performance/write-behind
  option block-size 128KB
  option cache-size 1MB
  subvolumes replicate
end-volume

volume cache
  type performance/io-cache
  option cache-size 512MB
  subvolumes writebehind
end-volume

V) Glusterfs server configuration (/usr/local/etc/glusterfs/glusterfsd.vol)

volume posix
  type storage/posix
  option directory /usr/home/www-shared
end-volume

volume locks
  type features/locks
  subvolumes posix
end-volume

volume brick
  type performance/io-threads
  option thread-count 8
  subvolumes locks
end-volume

volume server
  type protocol/server
  option transport-type tcp
  option transport.socket.bind-address 127.0.0.1
  option auth.addr.brick.allow 127.0.0.1
  option auth.login.brick.allow yourusername
  option auth.login.yourusername.password yourpassword
  subvolumes brick
end-volume

I was busy working on glusterfs ports for FreeBSD. Still some issues to be ironed out before it can be submitted to the upstream. At same the time, I set up web servers running nginx with php5 via fastcgi. FreeBSD doesn’t have rc.d script to trigger spawn-fcgi process. So I wrote a quick one. Below is the script.

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: spawnfcgi
# REQUIRE: DAEMON
# BEFORE:  nginx
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable spawnfcgi:
# spawnfcgi_enable (bool):    Set it to "YES" to enable spawnfcgi.
#                             Default is "NO".
# spawnfcgi_flags  (str):     Default is "-a 127.0.0.1 -p 8888 -u www -g www -f /usr/local/bin/php-cgi".
#

. /etc/rc.subr

name="spawnfcgi"
rcvar=${name}_enable

load_rc_config $name

spawnfcgi_enable=${spawnfcgi_enable:-"NO"}
spawnfcgi_flags=${spawnfcgi_flags:-"-a 127.0.0.1 -p 8888 -u www -g www -f /usr/local/bin/php-cgi"}
spawnfcgi_pidfile="/var/run/${name}.pid"
procname="/usr/local/bin/php-cgi"
pidfile=${spawnfcgi_pidfile}
command=/usr/local/bin/spawn-fcgi
command_args="${spawnfcgi_flags} -P ${spawnfcgi_pidfile}"

run_rc_command "$1"

Note: spawn-fcgi is part of lighttpd.

Just add spawnfcgi_enable=”YES” to /etc/rc.conf to enable it. As this is just a simple script, not all option is stated. You can add/overwrite options via spawnfcgi_flags. Do check the option available via /usr/local/bin/spawn-fcgi -h

For nginx part, just add these lines to your server directive.

location ~ \.php$ {
    fastcgi_pass   127.0.0.1:8888;
    fastcgi_index  index.php;
    fastcgi_param   SCRIPT_FILENAME /path/to/the/phpscript/$fastcgi_script_name;
    include         fastcgi_params;
}

It was a great night to meet and greet the Honeynet members from around the globe. There was an ice-breaking session for the members to socialize with other chapter members. I met lot of them notably Lance Spitzner (Chicago chapter), Sju Usken, Tor Skaar and Einar Oftedal (Norwegian chapter), Jamie Riden (UK chapter), Williams (Global chapter), Cecil Su, Eugeue Teo and Nicolas Collerty (SG Chapter), Peter Cheung and Roland Cheung (HK Chapter), Eugene Yeh (Taiwan Chapter), Adil Wahid (.my CERT chapter), Jianwei Zhuge (Chinese chapter), Felix Ledner (Giraffe chapter) and many others that I probably missed out. Nice ambiance, good food and great companions (All geeks gathered around). What can I ask for more? Highly intoxicated by alcohol, off for a good night sleep is good for me. There are still nice talks to attend to tomorrow. ;P

I frequently use m0n0wall for quick and easy deployment of firewall. However, it is kind of troublesome to dd the m0n0wall image from another computer. Idea of creating this liveCD installer was originated from Chris Buechler m0n0wall live installer. Since 2005, there has been no updated release of m0n0wall live installer. Thus, I decided to create my own.

m0n0live Installer
The m0n0live Installer CD is a FreeBSD 7.1 based liveCD built with FreeSBIE toolkits. It includes the m0n0wall 1.235, 1.3b15 images under /usr/m0n0 and /usr/m0n0/1.3b. You can grab a copy of m0n0live installer iso (42MB in size) from the link below:-

http://my.rawpacket.org/m0n0live-i386-0.1.iso
http://my.rawpacket.org/m0n0live-i386-0.1.iso.md5
http://my.rawpacket.org/m0n0live-i386-0.1.iso.sha256

Burn the iso onto CD after you have obtained the iso file above. Do verify the iso with md5/sha256 provided to ensure that your download is completed correctly. If you are not familiar with burning an iso image, please refer to CD burning software documentation before you proceed. Never burn this iso file as a single file on a data CD. After you have successfully burned the iso image to CD, boot up the designated device with the bootable CD that you have created.

No login required, just read and follow the instructions displayed on the screen. Enjoy!

Just a short post to help a friend of mine spreading words around.

Express your love to your love ones on this Valentine’s Day with roses and chocolates!!

Red roses proclaim “I Love You.”

They are the ultimate symbol of romantic love and enduring passion.
And of course the heart shape chocolate, represents your heart to your loved ones!!

Now ROSESCHOC brings to you good quality branded chocolate and imported big roses to your love one.
We also provide delivery service to the locations below. ( refer to the payment mode below).
Early birds can enjoy our promotion that upto 20% DISCOUNT.
Please do not hesitate and ORDER now.

1. YOU ARE THE ONE (single stalk and chocolate):
RM12 (for * early birds)

2. YOU-N-ME (3 stalks and chocolate): RM30 (for * early birds)

3. I LOVE YOU (3 stalks and chocolate):
RM35 (for * early birds)

4. CONTACT US FOR CUSTOMIZE PACKAGES SUCH AS HALF DOZEN AND 1 DOZEN

Payment mode:
(1) Maybank2u(acc will be provided later) or
(2) COD around Puchong, Subang, PJ, Kelana, Cyberjaya, Serdang, Sunway (in Malaysia)
Delivery can be made with minimal charges. Please contact us for further details

* Early birds promo will be until 8th February 2009. For early birds please Maybank2u the payment to us before 9th February 2009 to confirm your order. Thank you.

For any inquiries do not hesitate to contact us at roseschoc@gmail.com
For further info, please log on to our website http://roseschoc.blogspot.com

With our’s love,
ROSESCHOC ( Malaysia )

In my previous post on the Ricoh SD/MMC card reader, I have to patch the system in order to get the device working. With FreeBSD 7.1, it just works out of the box.

sdhci0: <RICOH R5C822 SD> mem 0xb8000800-0xb80008ff irq 22 at device 9.1 on pci5
sdhci0: 1 slot(s) allocated
sdhci0: [ITHREAD]
mmc0: <MMC/SD bus> on sdhci0
mmcsd0: 245MB <SD Memory Card> at mmc0 16MHz/4bit
GEOM_LABEL: Label for provider mmcsd0s1 is msdosfs/KINGSTON.

Writing speed
The writing speed is about 8 seconds faster than previous test.

coeus# mount -t msdosfs /dev/mmcsd0s1 /mnt/sd
coeus# dd if=/dev/zero of=/mnt/sd/test.img bs=1k count=10k
10240+0 records in
10240+0 records out
10485760 bytes transferred in 2.203386 secs (4758930 bytes/sec)

I had a good laugh after reading the post by Patrick Teoh and received more links from my colleague at work. Here is the content of the forwarded email.


Subject: Learn Engrish from Jabatan Pendaftaran Negara
GSA,... ( would love to get your feedback on this )

Go to this link..... http://www.jpn.gov.my/BI/4_1_web.php

Have a good smirk ...search more http://www.jpn.gov.my/BI/

Laugh or cry ( depending on your attachment to Malaysia)
http://www.jpn.gov.my/BI/command_set.php

Enjoying yourself now...?... read here... this is the gem..
http://www.jpn.gov.my/BI/3_3_1_pengenalan.php

Gosh!!!!!!!!

The local press tried to be hilarious? See the story by The Star.

I made a request to TM for reverse dns delegation on static IP address ranges that were assigned to office SDSL accounts. 2 thumbs up for their prompt response and action on my query. Now my name servers are managing the pointers for the IP address ranges. I’m a user of DJB’s tinydns. Below are tinydns data entries. The IP addresses value and domain are masked.

=router.mydomain.com:124.99.199.41
=firewall.mydomain.com:124.99.199.42
=ns3.mydomain.com:124.99.199.43
.41.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.41.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.41.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.41.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.42.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.42.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.42.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.42.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.43.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.43.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.43.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.43.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.44.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.44.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.44.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.44.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.45.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.45.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.45.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.45.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.46.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.46.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.46.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.46.199.99.124.in-addr.arpa::ns4.mydomain.com:3600


The Lookup

%dig 42.199.99.124.in-addr.arpa NS

; <<>> DiG 9.3.4 <<>> 42.199.99.124.in-addr.arpa NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1968
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;42.199.99.124.in-addr.arpa. IN NS

;; ANSWER SECTION:
42.199.99.124.in-addr.arpa. 3600 IN NS ns1.mydomain.com.
42.199.99.124.in-addr.arpa. 3600 IN NS ns2.mydomain.com.
42.199.99.124.in-addr.arpa. 3600 IN NS ns3.mydomain.com.
42.199.99.124.in-addr.arpa. 3600 IN NS ns4.mydomain.com.

;; ADDITIONAL SECTION:
ns1.mydomain.com. 22258 IN A 202.191.74.118
ns2.mydomain.com. 22260 IN A 203.175.167.108
ns3.mydomain.com. 22260 IN A 124.99.199.43
ns4.mydomain.com. 22260 IN A 212.214.138.2

;; Query time: 44 msec
;; SERVER: 161.142.2.17#53(161.142.2.17)
;; WHEN: Wed Oct 15 12:21:10 2008
;; MSG SIZE rcvd: 195


%nslookup 124.99.199.42
Server: 161.142.2.17
Address: 161.142.2.17#53

Non-authoritative answer:
42.199.99.124.in-addr.arpa name = firewall.mydomain.com.

Authoritative answers can be found from:
42.199.99.124.in-addr.arpa nameserver = ns4.mydomain.com.
42.199.99.124.in-addr.arpa nameserver = ns1.mydomain.com.
42.199.99.124.in-addr.arpa nameserver = ns2.mydomain.com.
42.199.99.124.in-addr.arpa nameserver = ns3.mydomain.com.
ns1.mydomain.com internet address = 202.191.74.118
ns2.mydomain.com internet address = 203.175.167.108
ns3.mydomain.com internet address = 124.99.199.43
ns4.mydomain.com internet address = 212.214.138.2