The other problem I had to deal with was the ADSL Router (Comtrend HG532c, The one provided by the Spanish ISP Jazztel) configuration:

• Open the required port: This was an easy one just opening the 7 a 9 port and forwarding them to the server we want to WOL from the internet
• Make the router remember the server’s tuple MAC/IP address. That was easy too, but some manual work was needed as when router is restarted the ARP table is flushed. 

In my current job I had to change recently some configuration and restart more than 600 IP phones. To perform such titanic task I created a quick and dirty script using expect. It worked like a charm and made me think about automatize the way I set the ARP table in my Comtrend HG532c ADSL router.

The scripts is very easy to understand. It just simulates a Telnet session with your router:

1. Login and password
2. Set the required MAC/IP tuple
3. Displays the ARP table

Here you are:

#!/usr/bin/expect -f
set timeout 10
set env(TERM)

set router "router"  #your router's dns name or IP
set login "admin"    #your router's login. admin is the default
set password "admin" #your router's password. admin is the default
set ip "192.168.1.2" #your server's IP address (not the dns name)
set mac "2f:1e:8a:84:2a:f9" #your server's MAC 

spawn telnet $router
expect "Login: "
send -- "$login\r"
expect "Password: "
send -- "$password\r"
expect "ATP>"
send "sh\r"
expect "# "
send "arp -s $ip $mac\r"
expect "# "
## check that all is right
send "arp -a\r"
expect "# "

The output must be similar to:

juan@mediacenter:~/bin$ ./ActualizarTablaArpRouterADSL.sh
spawn telnet router
Trying 192.168.1.1...
Connected to router.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------

Login: admin
Password:
ATP>sh

BusyBox vv1.9.1 (2011-05-25 16:23:47 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# arp -s 192.168.1.2 00:1e:8c:84:2a:f9
# arp -a
? (192.168.1.2) at 2F:1E:8A:84:2A:F9 [ether] PERM on br0

As can be seen in the last line the router have set the ARP entry as permanent…. permanent till router next restart. But at least every time this script is run the ARP is set automagically

The next thing to do is to put this script in a crontab job, /etc/rc.local, etc of one of your servers. This way every time it runs you will be sure that you can restart your server from the internet.

My decision was add a line in my server’s /etc/rc.local file like this:

#### Sets the MAC/IP tuple in ADSL router for WOL from internet
/path/to/ActualizarTablaArpRouterADSL.sh |mail -s "`hostname` MAC para el WOL" email@domain.tld

This has 2 added benefits:

1. I will know when my server is started
2. I will know that my router configuration is ready for wake on lan

The last step is have at least to ways to start your computer from the internet. Mine are:

1. Online Wake-On-LAN web page.
2. Wol Wake on Lan Wan for my Android phone.

I have created a github project: expect-update-arp-table-ADSL-router-for-wol (just in case other features can be added later) where you can download also the source code.

Enjoy!

When it happened there wasn’t any .deb package so I had to install it manually from a .tgz file. I have checked the Citrix Client download page today and there is a .deb package so I will continue using it:

1. Go to Citrix Client download page. and download the .deb (debian/ubuntu friendly) client depending your architecture 32 bits or 64. There is also a ARM version for smartphones but it is out of the scope of this tutorial. Pay attention to a small advice in the webpage x86 client – requires OpenMotif v.2.3.1. That’s an easy one :

   sudo wajig install libmotif4 motif-clients

2. Install the client manually using dpkg. Go to the directory where you downloaded the client and install it:

juan@virtualito:~/Descargas$ sudo dpkg -i icaclient_12.0.0_i386.deb
Selecting previously unselected package icaclient.
(Leyendo la base de datos ... 262342 ficheros o directorios instalados actualmente.)
Desempaquetando icaclient (de icaclient_12.0.0_i386.deb) ...
Configurando icaclient (12.0.0) ...
No target eula.txt found under . for es_ES.UTF-8
Trying English...
No target Npica.ad found under . for es_ES.UTF-8
Trying English...
No target module.ini found under .. for es_ES.UTF-8
Trying English...
No target wfclient.ini found under .. for es_ES.UTF-8
Trying English...
No target appsrv.ini found under .. for es_ES.UTF-8
Trying English...

No target index.htm found under .. for es_ES.UTF-8
Trying English...
Procesando disparadores para menu ...

As you can see it is really easy and a 2 steps (5 minutes) consuming task. Things are getting easier for .deb packages users.

Anyway if you want to try the .tgz way. Here you are:

1. Go to Citrix Client download page. and download the .tgz (all linux flavor friendly) client depending your architecture 32 bits or 64.
2. Install the OpenMotif v.2.3.1. Just in case: 

   sudo wajig install libmotif4 motif-clients

3. untar, unzip the downloaded .tgz package and run the ./setupwfc script:

juan@virtualito:~/Desktop$ ./setupwfc                                                                

No target setupwfc.msg found under /home/juan/Desktop/. for es_ES@euro                               

Trying English...                                                                                     

No target hinst.msg found under /home/juan/Desktop for es_ES@euro                                    

Trying English...                                                                                     

Citrix Receiver for Linux 11.0 setup.                                                                

Copyright 1996-2009 Citrix Systems, Inc. All rights reserved.

Citrix, Independent Computing Architecture (ICA), Program Neighborhood,

MetaFrame, and MetaFrame XP are registered trademarks and Citrix Receiver,

Citrix XenApp, XenDesktop, Citrix Presentation Server, Citrix Access Suite,

and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States

and other countries.                                                       

Microsoft, MS, MS-DOS, Outlook, Windows, Windows NT, and BackOffice are

either registered trademarks or trademarks of Microsoft Corporation in

the United States and other countries.                                 

All other Trade Names referred to are the Servicemark, Trademark,

or Registered Trademark of the respective manufacturers.        

User install mode.

Select a setup option:

 1. Install Citrix Receiver for Linux 11.0

 2. Remove Citrix Receiver for Linux 11.0

 3. Quit Citrix Receiver for Linux 11.0 setup

Enter option number 1-3 [1]: 1

Please enter the directory in which Citrix Receiver for Linux is to be installed.

[default /home/juan/ICAClient/linuxx86]                                         

or type "quit" to abandon the installation:                                     

The parent directory /home/juan/ICAClient does not exist.

Do you want to create it? [default y]: y                

You have chosen to install Citrix Receiver for Linux 11.0 in /home/juan/ICAClient/linuxx86.

Proceed with installation? [default n]: y

No target eula.txt found under /home/juan/Desktop for es_ES@euro

Trying English...                                              

CITRIX(R) LICENSE AGREEMENT                                     

Use of this component is subject to the Citrix license covering the

Citrix product(s) with which you will be using this component. This

component is only licensed for use with such Citrix product(s).    

CTX_code EP_T_A34320

Select an option:

 1. I accept

 2. I do not accept

Enter option number 1-2 [2]: 1

Installation proceeding...   

Checking available disk space ...

        Disk space available 5882688 K

        Disk space required 6267 K    

Continuing ...

Creating directory /home/juan/ICAClient/linuxx86

Core package...                                

Setting file permissions...                    

No target eula.txt found under . for es_ES@euro

Trying English...                              

No target install.txt found under . for es_ES@euro

Trying English...                                

No target readme.txt found under . for es_ES@euro

Trying English...                                

No target Npica.ad found under . for es_ES@euro  

Trying English...                                 

No target module.ini found under .. for es_ES@euro

Trying English...                                

No target wfclient.ini found under .. for es_ES@euro

Trying English...                                  

No target appsrv.ini found under .. for es_ES@euro

Trying English...                                  

No target index.htm found under .. for es_ES@euro

Trying English...                               

Integrating with browsers...                    

Integration complete.

Do you want to integrate Citrix Receiver with KDE and GNOME? [default y]: y

Do you want GStreamer to use the plugin from this client? [default y]: y  

Select a setup option:

 1. Install Citrix Receiver for Linux 11.0

 2. Remove Citrix Receiver for Linux 11.0

 3. Quit Citrix Receiver for Linux 11.0 setup

Enter option number 1-3 [2]: 3

Quitting Citrix Receiver for Linux 11.0 setup.

Now you can connect to your Citrix servers from Linux using Firefox or Iceweasel as the Citrix client is fully integrated with both.

Enjoy!

I have assisted to several others Ubuntu webminars:

• What’s new in Landscape 1.5:

1. Link to the webinar
2. Link to the documents

• Ubuntu Enterprsie Cloud in your Business:

1. Link to the webinar
2. Link to the documents

• Successful desktop migrations:

1. Link to the webinar
2. Link to the documents

• Managing UEC with Landscape:

1. Link to the webinar
2. Link to the documents

• Top 10 Server questions answered

1. Link to the webinar This one I couldn’t assist  but anyway the webinar is public

Here you are the list with all Canonical webminars.

More or less I already knew all the concepts speakers talked about: Landscape, cloud, computing, monitoring, provisioning etc. But in this one I first hear about something called Service orchestration.

I have previous experience with (as they call in the webinar): Machine-centric configuration management systems as puppet and more or less with Landscape but In the webinar they talk about Service-centric management.

Interesting concept: managing services not machines.

I have learned something new so I can go to sleep now. – Spanish saying

In that email the user was referring to very useful tutorial: Check Point Firewall-1 NG(X). I remembered that link as I used it to configure my first road warrior VPN client. But this document is outdated as the procedure to obtain the private key is not valid anymore. There is a new procedure that I documented in my personal wiki. In this post I am gonna copy & paste the right procedure from it.

This is a almost copy and paste procedure post. I am not going to explain all the “History/Theory” as it has been already well documented in the Check Point Firewall-1 NG(X) tutorial.

Get the needed files from the .pk12 certificate and put them in the right directories:

Retrieving DER-encoded CRL from CheckPoint

wget http://firewall-1:18264/ICA_CRL1.crl

Converting DER-encoded CRL to PEM-encoded and store it in related directory

openssl crl -in ICA_CRL1.crl -inform DER -outform PEM -out /etc/ipsec.d/crls/checkpoint.crl

Convert user certificate generated by Check Point Management from PKCS#12 to X.509

Extract private key of user PKCS#12, you have to specify first the import password (remember: given in GUI) and an export password

openssl pkcs12 -in vpnjuan.p12 -nocerts -out tempkey.pem

Convert private key of user to RSA:

openssl rsa -in tempkey.pem -des3 -out /etc/ipsec.d/private/vpnjuan-key.pem

Copy firewall-1-cert.pem (provided by your network admin) in /etc/ipsec.d/certs/firewall-1-cert.pem

Extract certificates of user from PKCS#12 to X.509 (results in a file containing the CA and the user certificate)

openssl pkcs12 -in vpnjuan.p12 -nokeys -out temp2.pem

Split singe file into different ones, results in e.g. firewall-1-internal-ca.pem (CA certificate is first one in file) and vpnjuan-cert.pem (user certificate is normally the second one in file) The header part of the CA certificate is like:

subject=/O=checkpoint.intranet.example.com..p9bkhs

issuer= /O=checkpoint.intranet.example.com..p9bkhs

The header of the user certificate is like:

subject=/O=checkpoint.intranet.example.com..p9bkhs/OU=users/CN=freeswan

issuer=/O=checkpoint.intranet.example.com..p9bkhs

Copy user X.509 certificate to related Openswan directory

cp vpnjuan-cert.pem /etc/ipsec.d/certs

Copy firewall-1 CA certificate to related Openswan directory

cp firewall-1-internal-ca.pem /etc/ipsec.d/cacerts

Modifying the .conf files:

Add the following line to /etc/ipsec.secrets

: RSA /etc/ipsec.d/private/vpnjuan-key.pem %prompt

Modify the /etc/ipsec.conf depending your own configuration:

# /etc/ipsec/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.15-r2/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0
#       plutodebug=all
        protostack=netkey
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/

## RoadWarrior to Net behind Gateway: FreeS/WAN X.509 <-> Check Point - Net
conn MYCOMPANYCONNECTION
    # Right side is FreeS/WAN RoadWarrior
    right=%defaultroute
    rightrsasigkey=%cert
    rightcert=vpnjuan-cert.pem
    # Left side is Check Point
    left=X.X.X.X          ### put here your firewall's IP address
    leftsubnet=10.0.0.0/8 ### put here your company's network range
    leftcert=firewall-1-cert.pem
    leftid=X.X.X.X        ### put here your firewall's IP address
    # config
    type=tunnel
    keyingtries=3
    disablearrivalcheck=no
    authby=rsasig
    auth=esp
    keyexchange=ike
    auto=route

Procedure to connect:

Restart ipsec daemon to reread configuration:

mediacenter:/etc/ipsec.d/certs# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.38-2-amd64...

Insert the passphrase of yout private key:

mediacenter:/etc/ipsec.d/certs# ipsec auto --rereadsecrets
040 need passphrase for '/etc/ipsec.d/private/vpnjuan-key.pem'
Enter passphrase:

Start the VPN:

mediacenter:/etc/ipsec.d/certs# ipsec auto –up MYCOMPANYCONNECTION

104 "MYCOMPANYCONNECTION" #1: STATE_MAIN_I1: initiate
003 "MYCOMPANYCONNECTION" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
106 "MYCOMPANYCONNECTION" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "MYCOMPANYCONNECTION" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "MYCOMPANYCONNECTION" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "MYCOMPANYCONNECTION" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "MYCOMPANYCONNECTION" #2: STATE_QUICK_I1: initiate
003 "MYCOMPANYCONNECTION" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1a0f153c
004 "MYCOMPANYCONNECTION" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6ae22f40 <0x4bca9ef5 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Launch the rdesktop (terminal server client for linux) against your Pc’s IP address and have fun!

mediacenter:/etc/ipsec.d/certs# rdesktop X.X.X.X

Bluehost allows to download a daily, weekly and monthly backup from your Cpanel control panel, but manual intervention is needed:

1. Logon in the control panel
2. Navigate to the backup page
3. Perform the backup
4. Download it to your local computer.

This is a manually/time consuming task and of course you should not forget it!!

In this post I gonna show my automatic method to backup files and databases using:

1. Crontab for automatic backups.
2. Public/private keys for passwordless ssh connections.
3. Rsync command for synchronizing directories between remote and local servers. This way bandwidth is reduced as if a file has already been copied to the local server no data transfer is needed.
4. Mysqldump for dumping the MySQL databases to a local file.
5. SpiderOak for data deduplication and remote backup.

Some previous knowledge is needed to understand how it works, anyway there are some useful links to understand it.

Let’s have a look to the script:

#!/bin/bash

# BackupCpanel.sh  Author:juan@elsotanillo.net
# http://www.elsotanillo.net/2011/09/backing-up-a-cpanel-hosting-account/
# Disclaimer: It works OK for my configuration. Please check carefully before using it in production environments

#uncomment for debug
set -x

# Defining some variables
MAILTO="email@domain.tld"
USERDB="YourUserDB"
PASSDB="YourDBPassword"
SSHUSER="YourSSHUser"
DOMAIN="domain.tld" # This is your main domain
REMOTE_PATH_BACKUP="/homeX/XXXXXXX"
LOCAL_PATH_BACKUP="$HOME/$DOMAIN"
LOCAL_MYSQL_PATH_BACKUP="$LOCAL_PATH_BACKUP/BackupDDBB/" # before using it as a DB backup folder it must be created
DB_NAME_BACKUP="BackupDDBB_`date +%Y-%m-%d`.sql"

## Checking ssh-agent is running and have valid identities already loaded
ssh-add -l
if [ $? = 1 ]
        then echo "Please add private key identities to the authentication agent and run it again"|mail -s "error in backup script" $MAILTO
        exit 1
fi ## no identities were loaded, so the script finished here as private/public ssh-keys are needed to remote logon

# Loading ssh-agent variables for private/public passwordless logon
/usr/bin/keychain
source  $HOME/.keychain/${HOSTNAME}-sh

### Remote msyqldump to a local file
ssh $SSHUSER@$DOMAIN "mysqldump -u$USERDB -p$PASSDB --all-databases" > $LOCAL_MYSQL_PATH_BACKUP$DB_NAME_BACKUP 

### Rsync between remote and local server
### We don't want to backup cache, session, mail and others directories,  so I "--exclude" them from the rsync command
###

rsync -avr --exclude 'mail/' \
           --exclude '.cpanel' \
           --exclude 'tmp' \
           --exclude 'BackupDDBB/' \
$SSHUSER@$DOMAIN:$REMOTE_PATH_BACKUP $LOCAL_PATH_BACKUP

# Run SpiderOak for deduplication and folder synchronization
SpiderOak --batchmode

And now let’s explain how it works:

1. Some variables must to be defined depending your own configuration. MAILTO, USERDB, etc. These depends on your login name, ssh user, etc
2. The script checks if the ssh-agent have valid identities already loaded. If not an email is send to MAILTO informing about the error and the script returns a 1 as a returning code.
3. Runs the keychain and read some variables from $HOME/.keychain/${HOSTNAME}-sh file. Please read the Passwordless connections via OpenSSH using public key authentication, keychain and AgentForward. web page for more information.
4. Backup using msyqldump is made in the LOCL_MYSQL_PATH_BACKUP local folder with all your mysql databases. The database dump file is not gziped as this makes the deduplication process useless. (How do I get the best backup deduplication from compressed files?).  Note: I don’t have any postgresql database. If you have any you will have to deal with it by yourself. But the same procedure can be applied with some modifications.
5. At this moment passwordless ssh connections can be made between your computer and the remote server so we can proceed with the raw data in your remote /home/login directory. The rsync command is launched excluding some directories which contains no interesting data to be copied. When rsync finished all the files are copied to our local computer
6. Now is turnto run the SpiderOak command (SpiderOak needs to be previously installed and configured). This will copy (using data deduplication) your pre-defined directories to the SpiderOak cloud. This way you will have at least 2 remote copies: your local PC and the SpiderOak cloud.
   

 Installing SpiderOak in your computer (the debian way)

1. Create your SpiderOak account. They provide a 2 GBlifetime free account.
2. install the client depending your O.S (They have clients for many O.S. windows,linux, MAC OS). For Debian add the following to your sources.list:        deb http://apt.spideroak.com/debian/ stable non-free
3. apt-get update && apt-get install SpiderOak
4. Run SpiderOak from a console to start the configuration GUI and customize it to adjust your needs: defining the directories you want to backup, you want to share, you want to sync with others computers, etc.

FAQs:

I don’t see any deduplication benefits here   Can you put an example?

Imagine you have 3 Joomla, 4 Mediawiki and 6 WordPress installations in your Bluehost account.

The benefits can be seen when the SpiderOak software copies the data between your server and its cloud network as all the installation files must be the same (if your are using same versions) and even if they are different versions as they must look similar. Data is transfered onces for same files and partially for similar files. This saves you a lot of bandwidth and space on your SpiderOak account.

“SpiderOak uses de-duplication in a very advantageous way as it relates to your SpiderOak account“

Today my SpiderOak account has 21.515 GB

Size of all stored files (without compression or deduplication): 107.638 GB

Also SpiderOak keep multiple versions of files:

“If a file is ever damaged or deleted or accidentally overwritten, you will always have the option of downloading an earlier undamaged version.”

I am a little bit concerned/paranoid with my backups. How can I have more security in my backups?

If for more security you understand more copies of your data in distant places…. you can use the SpiderOak’s SYNC feature.

In a standard configuration you can have several directories synchronized in severals server across multiple location using the standard SpiderOak’s client. Learn howto.

This procedure tries to generalize the template. While working with disk cloned images many elements need to be “generalized” before capturing and deploying a disk image to multiple computers. Some of these elements include:

1. ssh keys
2. /etc/apt/sources.list

The more “generalized” is a template, the less manual work is needed after deploying it.

This method must work in others virtualization systems: vmware, virtualbox, etc. As it is “virtualizator/hypervisor/emulator independent” as it is focused only in the disk image.

• Install the Debian image using you usual procedure, LVM, packages, virtio, etc.

• Set Debian repositories

cat <<EOF > /etc/apt/sources.list
deb http://ftp.rediris.es/debian/ squeeze main
deb-src http://ftp.rediris.es/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main

# squeeze-updates, previously known as 'volatile'
deb http://ftp.rediris.es/debian/ squeeze-updates main
deb-src http://ftp.rediris.es/debian/ squeeze-updates main
EOF

• Install some more packages

apt-get install ssh quota less acpid bash-completion sudo vim facter

• Remove some unneeded packages

dpkg --purge ppp pppoeconf pppoe pppconfig

• Upgrade system

apt-get upgrade

• Clean packages

After installing packages, you’ll have some junk packages laying around in your cache. Since you don’t want your template to have those, this command will wipe them out.

apt-get --purge clean

• Reconfigure your desired locales

dpkg-reconfigure locales

• Change timezone

dpkg-reconfigure tzdata

• Disable all but one tty in /etc/inittab as in a VM you don’t usually need 6 tty working, even in real servers…

# Note that on most Debian systems tty7 is used by the X Window System,
# so if you want to add more getty's go ahead but skip tty7 if you run X.
#
1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6

• Disable sync() for syslog

Turn off doing sync() on every write for syslog’s log files, to improve I/O performance:

sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/*syslog.conf

• Copy your public key to the template (for passwordless ssh logins)

ssh-copy-id root@IPADDRESS

• Delete the udev rule related to your NIC

This is important or when you clone your first VM you will see that it doesn’t have any NIC… This is caused by the rule /etc/udev/rules.d/70-persistent-net.rules as it has your current MAC configured on it. Cloned VM will have different MAC so this rule will fail and VM will not have any eth0 configured.

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x1af4:0x1000 (virtio_net)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:18:d9:5f", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERN
EL=="eth*", NAME="eth0"

It’s safe to delete it as a new file will be generated on boot time

rm /etc/udev/rules.d/70-persistent-net.rules

• Fix SSH host keys.

rm -f /etc/ssh/ssh_host_*

This is only useful if you installed SSH. Each individual VM should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created VE to create new SSH keys on first boot.

cat << EOF > /etc/init.d/ssh_gen_host_keys
#!/bin/sh
### BEGIN INIT INFO
# Provides:          Generates new ssh host keys on first boot
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: Generates new ssh host keys on first boot
# Description:       Generates new ssh host keys on first boot
### END INIT INFO
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
insserv -r /etc/init.d/ssh_gen_host_keys
rm -f \$0
EOF

chmod a+x /etc/init.d/ssh_gen_host_keys
insserv /etc/init.d/ssh_gen_host_keys

Finally stop the VM make a backup and label it as a Template.

In next posts I am gonna configure all the cloned servers “automagically” using puppet.

Have a look to the Installing Puppet master and client in the same host. The Debian way previous post for more info.

I took the main ideas from Splitting puppetd from puppetmaster from madduck‘s blog. But using this method you don’t have to create 2 differents ssl directories. Both installations (client and server) will share the same directory. I think it’s easier to implement and maintain.

The golden rule is to create all the SSL stuff (CA, keys, certificates,etc) in the right moment. And you may ask… When is the right moment? After the file /etc/puppet/puppet.conf is created with the certname directive properly updated. As by default puppet create all the SSL stuff using the hostname instead of the alias you want.

This tutorial assume you are using Debian (but should work on its derivatives: Ubuntu, Mint, etc) and have one server with two aliases replying to the same host (via /etc/hosts or DNS) In my case: puppet (server) and mediacenter (client).

Let’s have fun:

• Install puppetmaster:

apt-get install puppetmaster

• Stop puppetmaster:

/etc/init.d/puppetmaster stop

• kill puppet master processes

root@mediacenter:/etc/puppet# ps -ef|grep puppet
puppet    3610     1  0 08:09 ?        00:00:01 /usr/bin/ruby1.8 /usr/bin/puppet master --masterport=8140
root      4053  3035  0 08:28 pts/0    00:00:00 grep puppet
kill 3610

• Remove ssl directory: (as it has the ssl data related to the hostname instead of the alias you want)

rm -rf /etc/puppet/ssl/

• create /etc/puppet/puppet.conf

[main]

[master]
certname=puppet.vnet

[agent]
server=puppet.vnet

• Start puppetmaster:

/etc/init.d/puppetmaster start

• Check ssl logs on /var/log/daemon.log (ans check ssl directory and certificates have been created using puppet as server name)

mediacenter puppet-master[3758]: Signed certificate request for ca
mediacenter puppet-master[3758]: Rebuilding inventory file
mediacenter puppet-master[3758]: puppet.vnet has a waiting certificate request
mediacenter puppet-master[3758]: Signed certificate request for puppet.vnet
mediacenter puppet-master[3758]: Removing file Puppet::SSL::CertificateRequest puppet.vnet at '/etc/puppet/ssl/ca/requests/puppetmaster.vnet.pem'
mediacenter puppet-master[3758]: Removing file Puppet::SSL::CertificateRequest puppet.vnet at '/etc/puppet/ssl/certificate_requests/puppetmaster.vnet.pem'
mediacenter puppet-master[3815]: Reopening log files
mediacenter puppet-master[3815]: Starting Puppet master version 2.7.1

• Check ssl directory has been re-created on /etc/puppet:

ls /etc/puppet/ssl

• Install puppet client:

apt-get install puppet

• Create a SSL certificate for mediacenter.vnet. In order for the two systems to communicate securely we need to create signed SSL certificates.

root@mediacenter:/etc/puppet# puppetd --no-daemonize --onetime --verbose --waitforcert 30
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for mediacenter.vnet
info: Certificate Request fingerprint (md5): 93:7C:65:BD:77:39:2C:90:F3:15:99:D1:46:18:F1:40
warning: peer certificate won't be verified in this SSL session

• Check all certificates:

root@mediacenter:/etc/puppet# puppetca --list --all
mediacenter.vnet (93:7C:65:BD:77:39:2C:90:F3:15:99:D1:46:18:F1:40)
+ puppet.vnet (7A:5B:E1:42:00:B3:C9:EE:38:10:47:9E:D2:ED:C2:8C)

• Check pending certificates (to be signed by the server)

root@mediacenter:/etc/puppet# puppetca --list
mediacenter.vnet

• Sign mediacenter.vnet certificate

root@mediacenter:/etc/puppet# puppetca --sign mediacenter.vnet
notice: Signed certificate request for mediacenter.vnet

• Now all certificates are signed. Pay attention to the plus (+) symbol

root@mediacenter:/etc/puppet# puppetca --list --all
+ mediacenter.vnet (B3:87:0C:F5:05:00:29:76:07:B5:1C:D1:2B:DA:20:12)
+ puppet.vnet (7A:5B:E1:42:00:B3:C9:EE:38:10:47:9E:D2:ED:C2:8C)

• At this moment some test can be performed. from: Installing Puppet On Ubuntu.

• Create the file /etc/puppet/manifests/site.pp

1. Create “/tmp/testfile” if it doesn’t exist.

class test_class {
   file { "/tmp/testfile":
      ensure => present,
      mode   => 644,
      owner  => root,
      group  => root
    }
}

# tell puppet on which client to run the class
node mediacenter {
    include test_class
}

• On the client run puppetd in verbose mode (-v) and only once (-o).

puppetd -v -o

• Then you will see in the logs the following:

mediacenter puppet-master[4620]: Compiled catalog for mediacenter.vnet in environment production in 0.02 seconds
mediacenter puppet-agent[5271]: Caching catalog for mediacenter.vnet
mediacenter puppet-agent[5271]: Applying configuration version '1313132026'
mediacenter puppet-agent[5271]: (/Stage[main]/Test_class/File[/tmp/testfile]/ensure) created
mediacenter puppet-agent[5271]: Finished catalog run in 0.06 seconds

• Check is the file has been created:

ls -l /tmp/testfile
-rw-r--r-- 1 root root 0 ago 13 18:53 /tmp/testfile

• Now that all is running OK, configure the puppet agent to start on boot by modifying /etc/default/puppet

# Defaults for puppet - sourced by /etc/init.d/puppet

# Start puppet on boot?
START=yes

# Startup options
DAEMON_OPTS=""

• Start puppet client

/etc/init.d/puppet start

Now, you can start playing with puppet master and client in the same host. Have fun!

Special thanks to madduck for sharing his time and knowledge!.

Finally I decided to move on with WordPress and with the help of Misterpah‘s Mambo Importer plug-in at least half of the work was already done. Although some manual work has to be done (recreating path’s, images, etc)

Special thanks to Misterpah for sharing his knowledge and time!

P.S.: Starting from today all (or at least almost) news posts/pages will be written in English.

One week doing Yoga, meditation,enjoying Jose’s vegetarian food, learning and practicing. And a very important thing: One week without computers.

And… of course I got my diploma

El comando a usar es el ffmpeg y según los parámetros lo podremos usar para convertir de unos ficheros a otros:

• Convertir ogg a mp3 (ogg2mp3/oggtomp3)

ffmpeg -i nombre.ogg nombre.mp3

• Convertir m4a a mp3 (m4a2mp3/m4atomp3)

ffmpeg -i nombre.m4a nombre.mp3

Si queremos convertir todos los ficheros que hay en un directorio podremos usar el siguiente script:

for i in * ; do ffmpeg -i $i $i.mp3 ; done

Luego para normalizar el nombre usaremos el comando rename:

rename 's/.m4a//' *.m4a.mp3