Uncommon Sense

Lessons in Web Access Management – Josso – Part 1

actionjack — Mon, 20 Feb 2012 17:39:45 +0000

I’m currently looking for a Web Access Management tool to manage and control access to a number of hosted applications.

Wikipedia defines Web Access Management as:
Authentication Management
Policy-based Authorizations
Audit & Reporting Services
Single sign-on Convenience

I’ve had previous experience in this space using CA’s Siteminder product but this time I want to experience some “open” alternatives where the information on the use and configuration of the product isn’t as limited and the costs aren’t as great.

Initially I thought I’d have a look at JOSSO (Java Open Single Sign On)

Installing Josso

useradd josso
Download josso-ce-2.2.x.tar.gz from sf.net
cd /opt
tar zxvf /path/to/josso-ce-2.2.x.tar.gz
chown -R josso: /opt/josso-ce-2.2.x
su - josso
cd /opt/josso-ce-2.2.x/bin
./atricore

atricore: JAVA_HOME not set; results may vary
__ _____ _____ _____ _____ ___ _____ _____
__| | | __| __| | |_ | | | __|
| | | | |__ |__ | | | | _| | --| __|
|_____|_____|_____|_____|_____| |___| |_____|_____|

JOSSO 2 Community Edition (2.2.1)
Atricore Console (1.1.1) http://localhost:8081/atricore-console/
Atricore Identity Bus (1.2.1)

Apache Felix Karaf (2.2.1)
Hit '' for a list of available commands
and '[cmd] --help' for help on a specific command.

Hit '' or type 'osgi:shutdown' to shutdown JOSSO 2 CE.

karaf@josso-ce>

Enter “osgi:list | grep Atricore” to confirm the services are started and running.

...
[ 41] [Resolved ] [ ] [ ] [ 60] Atricore IDBus :: Kernel : Web Console Branding (1.2.1)
[ 148] [Active ] [ ] [ ] [ 60] Atricore IDBus :: Kernel : Support (1.2.1)
[ 149] [Active ] [ ] [ ] [ 60] Atricore IDBus :: Kernel : XML Digital Signature Binding (1.2.1)
[ 150] [Active ] [ ] [ ] [ 60] Atricore IDBus :: Kernel : SPML 2 w/DSML Profile Binding (1.2.1)
[ 151] [Active ] [ ] [ ] [ 60] Atricore IDBus :: Kernel : SAML R 2.0 Protocol Binding (1.2.1)
[ 152] [Active ] [ ] [ ] [ 60] Atricore IDBus :: Kernel : SAML R1.1 Protocol Binding (1.2.1)
[ 153] [Active ] [ ] [ ] [ 60] Atricore IDBus :: Kernel : Atricore SSO 1.0 Protocol Binding (1.2.1)
...

Browse to http://jossohost:8081/atricore-console/ default login is admin:admin

Java Service Management with YAJSW

actionjack — Fri, 10 Feb 2012 17:52:58 +0000

Ok so what actually is Java Service Management? Well it means easily enabling your java application to be run as a daemon with all the bells and whistles e.g. clean service stopping and starting, logging and jmx profiling.

I was working on a project that ran a java jar file e.g. java -cp application.jar and I initially wrote a simple initscript to stop and start it.Unfortunately it would not daemonize cleanly and dump tons of “useful” info and debug data to the console, eventually it got to the point where I only felt comfortable starting it in using screen.

I finally got time to revisit the situation and look at Tanuki’s Java Service Wrapper software, unfortunately it was incompatible with the project I was working on (and by incompatible I mean it was going to cost me lots and lots of license fees).

Enter YAJSW – Yet Another Java Service Wrapper (http://yajsw.sourceforge.net/):

“YAJSW is a java centric implementation of the java service wrapper by tanuki (JSW).
It aims at being mostly configuration compliant with the original. It should therefore be easy to switch from JSW to YAJSW.”

And it only took me minutes to get working:

Download yajsw from Sourceforge
unzip to your application’s working directory
Run the java application and go to $applicationdir/yajsw/bat
Change the mode to all the shell scripts e.g. chmod a+x *.sh
Run ./genConfig.sh $java_app_pid
Edit $applicationdir/yajsw/conf/wrapper.conf and customise it to your needs
Run ./runConsole.sh to check if the application is running correctly.
If you want to install the service run ./installService.sh this will create the required initscripts and place them into /etc/init.d/ and /etc/rc.d/runlevel directories.
You can then choose to either run the startService or stopService shell scripts or use the newly created one in /etc/init.d.

More detailed configuration can be found on their main site and this one is definitely a keeper for my java deployment toolkit.

Moving from puppet-iptables to puppet-firewall

actionjack — Fri, 03 Feb 2012 16:53:26 +0000

After months of procrastination I finally migrated from puppet-iptables to puppet-firewall and I’m so glad that I did!

I’m beginning to see what Ken Barber (@ken_barber) was hinting at when he told me at the last EU Devops Days conference that configuring linux firewalls was just tip of the iceberg, I can now see the path of it being used to configure Cisco and Juniper based firewalls eventually.

To get the puppet-firewall module working for me out of the box I had to add the following to my site.pp

exec { 'clear-firewall':
command => '/sbin/iptables -F',

refreshonly => true,

}

exec { 'persist-firewall':

command => '/sbin/iptables-save >/etc/sysconfig/iptables',

refreshonly => true,

}

Firewall {

subscribe => Exec['clear-firewall'],

notify => Exec['persist-firewall'],

}

After that I configured a base firewall module e.g.

class basefirewall {

resources { 'firewall':

purge => true,

}

firewall { "001 accept all icmp requests":

proto => 'icmp',

action => accept,

}

firewall { '002 INPUT allow loopback':

iniface => 'lo',

chain => 'INPUT',

action => accept,

}

firewall { '000 INPUT allow related and established':

state => ['RELATED', 'ESTABLISHED'],

action => accept,

proto => 'all',

}

…

}

Top Marks for this module!

http://github.com/puppetlabs/puppetlabs-firewall

HAProxy and MySQL lockouts

actionjack — Wed, 01 Feb 2012 18:32:46 +0000

For the last couple of days I’ve been playing around with HAProxy MySQL/Galera to create a fault tolerant, load balancing database backend that is invisible to the application.

Unfortunately, I was having an issues, that after a set amount of time the MySQL nodes would stop accepting connections.

After a bit of failed googling I visited the #haproxy irc chat on Freenode and a couple of helpful fellows called @vr and @meineerde pointed me to this section of the HAProxy configuration guide:

…It was reported that it can generate lockout if check is too frequent and/or if there is not enough traffic. In fact, you need in this case to check MySQL “max_connect_errors” value as if a connection is established successfully within fewer than MySQL “max_connect_errors” attempts after a previous connection was interrupted, the error count for the host is cleared to zero. If HAProxy’s server get blocked, the “FLUSH HOSTS” statement is the only way to unblock it.

I had already set the max_connect_errors in my.cnf file to be 1000 but I guess that was no way enough. After looking around the net a bit looking for inspiration I’ve decided to set it to:

[mysqld]

max_connect_errors=999999

WordPress 0 to 60 in 5 minutes flat

lesliebuna — Sun, 01 Jan 2012 13:20:00 +0000

So Steve and I agreed that our first sprint was to build a WordPress server, that’ll be a snap to do (or so I thought!)

In order to create a WordPress server I need 4 main components:

A Server with an Operating System installed
A MySQL database
A HTTP Web Daemon and
The WordPress application itself.
So like a good boy scout I set off about installing a WordPress on a centos box by hand and I found some most excellent instructions here by Andrew at Adlibre.

I hit my first problem, the WordPress package from EPEL for RHEL/CentOS 5 is quite old, it’s 2.8 while the version of WordPress with all the new hotness is 3.0.

Hmm ”old busted” or “new hotness” (not to say the 2.8 is either old or busted but you get what I mean). I decided I’d roll with the new hotness and then I hit another dilemma I couldn’t find a RPM for RHEL/CentOS 5, so should I just roll out the tar ball or create a package for it?

This is currently a hot topic in the Devops community and when I went to Devops Hamburg back in October one of the more popular open space sessions was “packaging vs. non-packaging, when and what?” and the main output was it “depends”.

However I wanted a zero touch and fully automated deployment so I investigated both methods and weighted them up:

Scenario 1 – Installation of Tar ball

Download WordPress tar ball to the server file system
Untar the package and install it to the correct location
Track the installation and ensure that it is valid (correctly installed, all checksums in place (Thanks AndrewH!)) also be able to cleanly handle upgrades.

Scenario 2 – Installation RPM

Package WordPress RPM
Yum install WordPress

I quickly came to the conclusion that the packaging case won over when I imagined the amount of puppet code I’d have to churn out to do scenario #1 and make it robust versus just using what I believed was the right tool for the job i.e. RPM and keeping it as simple as possible.

Name: wordpress
Version: 3.0.1
Release: 1
Group: System/Servers
Summary: Personal publishing platform.
URL: http://wordpress.org/
Source0: http://wordpress.org/%{name}-%{version}.tar.gz
Vendor: WordPress
License: GPLv2+
Packager: Martin Jackson
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: php
Requires: php-mysql

%description
WordPress is an open source Content Management System (CMS), often used as a
blog publishing application, powered by PHP and MySQL. It has many features
including a plug-in architecture and a template system.

%prep
%setup -q -n %{name}

# fix dir perms
find . -type d | xargs chmod 755

# fix file perms
find . -type f | xargs chmod 644

# disable wordpress update option
sed -i -e "s/add_action/#add_action/g" wp-includes/update.php

%install
rm -rf %{buildroot}

install -d %{buildroot}%{_sysconfdir}/httpd/conf.d
install -d %{buildroot}%{_sysconfdir}/%{name}
install -d %{buildroot}/var/www/%{name}

cp -aRf * %{buildroot}/var/www/%{name}/

cat > %{buildroot}%{_sysconfdir}/httpd/conf.d/%{name}.conf << EOF

Alias /%{name} /var/www/%{name}

AllowOverride None
Allow from All

EOF

# cleanup
rm -f %{buildroot}/var/www/%{name}/license.txt

%clean
rm -rf %{buildroot}

%files
%defattr(-,root,root)
/var/www/%{name}
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf

%changelog
* Wed Nov 17 2010 Martin Jackson 3.0.1.1
- initial Red Hat Enterprise package

OK now I have my newly packaged WordPress 3.0 rpm and life is good, everything else I need is already packaged and can be easily installed using yum, a few minutes later I have a fully functioning WordPress server.

Now for the fun part, how do a fully automate the creation of a WordPress server end to end.

Firstly I created a custom kickstart profile on my cobbler server to install a minimal Just Enough Operating System (JeOS) base build (faster to install and patch with the minimum security attack surface) with some additional post install stuff to bootstrap puppet.

install
url --url http://rasengan/cblr/links/Centos-5.5-x86_64
key --skip
lang en_US.UTF-8
keyboard uk
skipx
network --device eth0 --bootproto dhcp --hostname testvm-wordpress.uncommonsense.local

rootpw --iscrypted $MD5PASSWORD
firewall --enabled --http --port=22:tcp
authconfig --useshadow --enablemd5
selinux --permissive
timezone Europe/London
bootloader --location=mbr --driveorder=vda
clearpart --all --initlabel
part /boot --fstype ext3 --size=100
part pv.2 --size=0 --grow --ondisk=vda
volgroup VolGroup00 --pesize=32768 pv.2
logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=512 --grow --maxsize=1024
logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow
repo --name=source-1 --baseurl=http://rasengan/cobbler/ks_mirror/Centos-5.5-x86_64/
$yum_repo_stanza
reboot

%packages --nobase --excludedocs
coreutils
dhclient
yum
rpm
ruby
libselinux-ruby
subversion
e2fsprogs
lvm2
grub
sysstat
ntp
openssh-server
openssh-clients
xorg-x11-xauth
screen
net-snmp
net-snmp-utils
system-config-securitylevel
xterm
mutt
sudo
yum-downloadonly
yum-protectbase
-dhcpv6-client
-iptables-ipv6
-system-config-securitylevel-tui
-wireless-tools
-rhpl
-mdadm

%post
exec < /dev/tty3 > /dev/tty3
chvt 3
echo
echo ##############################
echo # Running Post Configuration #
echo ##############################
echo
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
echo "192.168.1.5 puppet rasengan rasengan.uncommonsense.local" >> /etc/hosts
yum -y install puppet rdoc
chkconfig puppet on
cat > /etc/sysconfig/puppet << EOF # The puppetmaster server PUPPET_SERVER=rasengan # If you wish to specify the port to connect to do so here #PUPPET_PORT=8140 # Where to log to. Specify syslog to send log messages to the system log. #PUPPET_LOG=/var/log/puppet/puppet.log # You may specify other parameters to the puppet client here #PUPPET_EXTRA_OPTS=--waitforcert=500 EOF cat > /etc/puppet/puppet.conf << EOF [main] # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl libdir = /var/lib/puppet/lib [puppetd] # The file in which puppetd stores a list of the classes # associated with the retrieved configuratiion. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig pluginsync = true plugindest = /var/lib/puppet/lib EOF cat >> /etc/rc.local < installed
}
}

class apache::config {
File{
require => Class["apache::install"],
notify => Class["apache::service"],
owner => "root",
group => "root",
mode => 644
}
}

class apache::service {
service{"httpd":
ensure => running,
enable => true,
require => Class["apache::config"],
}
}

class apache {
include apache::install,
apache::config,
apache::service
}

class apache::disable {
include apache::install,
apache::config
}

For the MySQL installation and configuration I wanted something a little more robust since I believed I could make a lot of use out of a good MySQL puppet module. I found it quite ironic that I stumbled across a problem that I had previously answered on server fault that being how do you find a top notch MySQL module:

There were quite a few out there and after a fair bit of back and forth I settled on the Camp to Camp boys’ MySQL puppet module, it is very functional and quite compact in the amount of supporting modules that are needed to make it function:

puppet-mysql
puppet-augeas
puppet-common

You’ll need to have the plugin sync enabled in your puppet.conf for this to work because it copies some custom facts and plugins to the client in order to create the databases.

1 [main]
2 libdir = /var/lib/puppet/lib
3
4 [puppetd]
5 pluginsync = true
6 plugindest = /var/lib/puppet/lib

Onto the final stretch I need to install WordPress so I whipped up the following puppet module to install WordPress.

?
# Class: wordpress
#
# This class manages the wordpress blogging application
#
# Parameters:
# None
#
#
# Actions:
# Install the wordpress blogging application
#
# Requires:
# - Package["apache","mysqlclient"]
#
# Sample Usage:
#

class wordpress::install {
$packagelist = ["php","php-mysql","wordpress"]
package{ $packagelist:
ensure => latest,
require => Class["repository::uncommonsense"],
}
}

class wordpress::config {
File{
require => Class["wordpress::install"],
notify => Class["apache::service"],
owner => "root",
group => "root",
mode => 644
}
}

class wordpress {
include wordpress::install,
wordpress::config
}

class wordpress::disable {
include wordpress::install
}

I used the following entry in my nodes.pp file to pull it all together

node "testvm-wordpress.uncommonsense.local" {
include repository::uncommonsense
include apache
include augeas
include wordpress
$mysql_password = "foo"
include mysql::server::small

mysql::rights {"Set rights for wordpress database":
user => "username",
password => "password",
database => "wordpress",
}

mysql::database {"wordpress":
ensure => present
}
}

Ok so I now have a fully functional WordPress Server in about 5 minutes. This is just a basic setup but it demonstrates what can be done without too much effort and if I wanted to take this further in the future, I would create an erb template for the wp-config.php so that the database settings are populated by puppet using the existing username, password and database name variables.

Who’s the JBOSS? Rapid Jboss 4.2.3GA AS server installs on CentOS 5

lesliebuna — Sun, 01 Jan 2012 09:41:48 +0000

We have just completed the first part of this sprint – creating an automated jboss server installation based on Jboss 4.2.3GA and CentOS 5.

This one went relatively smoothly thanks to following resources:

Craig Andrews’ Install JBoss 4.2 on Centos/RHEL 5 Blog Post,
The JPackage Project,
R.I. Pienaars Puppet-Concat module and,
Rob Myers [JPackage-discuss] /usr/bin/rebuild-security-providers is needed by package java-1.4.2-gcj-compat fix

Once out of the gate we started with the meatcloud approach and installed everything by hand to find out what the ins and outs were and identify any possible gotcha’s. Straight off the bat we found that there was a problem installing the jboss application server on CentOS/RHEL5 using the JPackage repository due to a rebuild-security-providers dependency, after practicing a bit of google-fu I found Craig Andrews post that pointed us to the following RPM Spec file from Rob Myers JPackage discussion post:

Name: jpackage-utils-compat-el5
Version: 0.0.1
Release: 1%{?dist}%{?repo}
Epoch: 0
Summary: Compatibility For RHEL5 and JPackage
License: GPL
URL: http://rmyers.fedorapeople.org/jpackage-utils-compat-el5
Group: Utilities
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

BuildArch: noarch
Requires: /bin/bash

%description
Compatibility for JPackage Utils between RHEL5 and the JPackage Project.

%prep
# no setup

%build
# no building

%install
rm -rf $RPM_BUILD_ROOT

install -dm 755 ${RPM_BUILD_ROOT}%{_bindir}
install -dm 755 ${RPM_BUILD_ROOT}%{_sysconfdir}/java/security
install -dm 755 ${RPM_BUILD_ROOT}%{_sysconfdir}/java/security/security.d

pushd ${RPM_BUILD_ROOT}%{_bindir}

cat > rebuild-security-providers << EOF

#!/bin/bash
# Rebuild the list of security providers in classpath.security

secfiles="/usr/lib/security/classpath.security /usr/lib64/security/classpath.security"

for secfile in \$secfiles; do
# check if this classpath.security file exists
[ -f "\$secfile" ] || continue

sed -i '/^security\.provider\./d' "\$secfile"

count=0
for provider in \$(ls /etc/java/security/security.d)
do
count=\$((count + 1))
echo "security.provider.\${count}=\${provider#*-}" >> "\$secfile"
done
done
EOF

popd

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,root,root,-)
%{_bindir}/rebuild-security-providers
%{_sysconfdir}/java/security
%{_sysconfdir}/java/security/security.d

%changelog

* Thu Jul 3 2008 Rob Myers <rob.myers at gtri.gatech.edu> - 0:0.0.1-1%{?dist}%{?repo}
- initial release

After vetting what the specfile actually did (Always do this!) and deeming it safe to use we rolled our RPM from it and placed it into our cobbler repository and did a “yum install jbossas”. The default Jpackage installation of Jboss is configured to only listen on localhost for security purposes but we wanted to expose it to our network for testing so we set the JBOSS_IP variable to 0.0.0.0 in the /etc/sysconfig/jbossas file and restarted the jbossas service to make it accessible remotely. It’s all good, just a simple “chkconfig jbossas on” and we are done, a sample jboss server ready to go, now the fun part, automating to whole deployment process from scratch. Breaking out my puppet toolkit, we went about writing a module that would install jbossas, configure it, get it running and set it to autostart on reboot. We also wanted to add some configurability to allow me to change the settings in /etc/sysconfig/jbossas e.g. setting the JBOSS_IP or JAVA_OPTS variables.

# Class: jboss
#
# This class manages the jboss application server
#
# Parameters:
# None
#
#
# Actions:
# Install the jboss application server
#
# Requires:
# - Package[]
# - R.I. Pienaar's puppet-concat module
#
# Sample Usage:
#

class jboss::install {
$packagelist = ["jpackage-utils-compat-el5","jbossas","jbossweb2"]
package{ $packagelist:
ensure => latest,
require => Class["repository::uncommonsense","repository::jpackage::generic","repository::jpackage::el5"],
}
}

class jboss::config {
File{
require => Class["jboss::install"],
notify => Class["jboss::service"],
owner => "root",
group => "root",
mode => 644
}
}

class jboss::service {
service{["jbossas","jbossweb2"]:
ensure => running,
enable => true,
require => Class["jboss::config"],
}
}

class jboss {
include jboss::install,
jboss::service,
jboss::config

include concat::setup

concat{"/etc/sysconfig/jbossas":
notify => Service["jbossas"],
}

concat::fragment{"jboss_sysconfig_header":
target => "/etc/sysconfig/jbossas",
content => template("jboss/jbossas.erb"),
order => 01,
}
}

class jboss::disable {
include jboss::install

}

define jboss::setting($value) {
concat::fragment{"jboss_${name}":
target => "/etc/sysconfig/jbossas",
content => "${name} = ${value}\n",
}
}

We used a slightly modified version of the stock /etc/sysconfig/jbossas file as the template.

# This file was created and transferred by puppet
# Do not edit manually!
#
# Service-specific configuration file for jbossas services
# This will be sourced by the SysV service script after the global
# configuration file /etc/jbossas/jbossas.conf, thus allowing values
# to be overridden on a per-service way
#
# NEVER change the init script itself:
# To change values for all services make your changes in
# /etc/jbossas/jbossas.conf
# To change values for a specific service, change it here
# To create a new service, create a link from /etc/init.d/ to
# /etc/init.d/jbossas (do not copy the init script) and make a copy of the
# /etc/sysconfig/jbossas file to /etc/sysconfig/ and change
# the property values so the two services won't conflict
# Register the new service in the system as usual (see chkconfig and similars)
#
# To change a setting, uncomment the line and set the value for what you want
# The values in the comments are the default values, shown here for convenience
#
#JAVA_HOME=/usr/lib/jvm/java-1.5.0
#
##define where jboss is - this is the directory containing directories log, bin, conf etc
#JBOSS_HOME="/var/lib/jbossas"
#
##make sure java is on your path
#JAVAPTH="/usr/lib/jvm/java/bin"
#
##define the classpath for the shutdown class
##JBOSSCP=
#

##define jboss configuration to start
#JBOSSCONF="production"
#
##define the script to use to start jboss
##JBOSSSH="$JBOSS_HOME/bin/run.sh -c $JBOSSCONF"
#
##define what will be done with the console log
#JBOSS_CONSOLE="$JBOSS_HOME/server/$JBOSSCONF/log/console.log"
#
##define the user under which jboss will run, or use RUNASIS to run as the current user
#JBOSSUS="jboss"
#
##define the group under which jboss will run
#JBOSSGR="jboss"
#
##define the jgroups UDP group (multicast address) for clustering
#JBOSS_UDP_GROUP="228.1.2.3"
#
#define the Http Session Replication UDP port (multicast)
#JBOSS_UDP_PORT_WP="45577"
#
#define the UDP port for JBoss clustering (multicast)
#JBOSS_UDP_PORT_HA="45566"
#
#define the UDP port for the ejb3 entity cache cluster (multicast)
#JBOSS_UDP_PORT_EJB3="43333"
#
#define the UDP port for ejb3 sfsb cache cluster (multicast)
#JBOSS_UDP_PORT_EJB3SFSB="45551"
#

##define the timeout period for starting the server
#JBOSS_START_TIMEOUT="150"
#
##define the timeout period for stopping the server
#JBOSS_STOP_TIMEOUT="60"
#
##define the ip to which the server should bind to
#JBOSS_IP=127.0.0.1

And here are the yum repo definitions required to setup jpackage repos:

class repository::jpackage::generic {
yumrepo { jpackage-generic:
name => "jpackage-generic",
descr => "JPackage (free) Generic",
mirrorlist => "http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0",
failovermethod => "priority",
gpgcheck => "1",
gpgkey => "http://www.jpackage.org/jpackage.asc",
enabled => "1",
}
}

class repository::jpackage::el5 {
yumrepo { jpackage-redhat-el-5:
name => "jpackage-redhat-el-5.0",
descr => "JPackage (free) for Red Hat Enterprise Linux - \$releasever",
mirrorlist => "http://www.jpackage.org/mirrorlist.php?dist=redhat-el-\$releasever&type=free&release=5.0",
failovermethod => "priority",
gpgcheck => "1",
gpgkey => "http://www.jpackage.org/jpackage.asc",
enabled => "1",
}
}

And finally the code to call it:

node testvm-jboss {
include repository::uncommonsense
include repository::jpackage::generic
include repository::jpackage::el5
include jboss
jboss::setting{"JBOSS_IP": value => "0.0.0.0" }

}

You can use a similar kickstart that we used in one of our previous posts to kick it off and viola! “Look Ma no hands!” – A working jboss server in less than 5 minutes.

Virtual machine stacking Using LXC on top of ESX

lesliebuna — Sun, 01 Jan 2012 06:16:02 +0000

What is LXC?

From Dwight Schauer:
“Linux Containers (LXC) are an operating system-level virtualization method for running multiple isolated server installs (containers) on a single control host. LXC does not provide a virtual machine, but rather provides a virtual environment that has its own process and network space. It is similar to a chroot, but offers much more isolation.”

Creating Virtual Environments within Virtual Machines using Red Hat Enterprise 6 or Centos 6

Why would anyone ever want to do this? Well for a number of reasons:

1. You only have access to one virtual machine but want to create multiple isolated services.

2. Have a requirement for multiple Linux OS versions but don’t want to invest in a heavyweight virtualisation solution.

3. Creating virtual multilayer services to that you wish to be deployed as a single virtual machine, think about a virtual network of machines encapsulated in a single easily deployed package that would only expose a single IP address e.g. reverse proxy, tomcat java container, database, and internal virtual networks).

4. Creation of lightweight development environment.

It so works on KVM, Virtualbox as well as VMware Vsphere.

LXC Setup

LXC needs kernel namespaces which is fully supported in 2.6.26 kernels and above which are currently upstream of Red Hat Enterprise Linux 5 so I opted to go to RHEL6 so I wouldn’t have to roll and maintain my own kernel (CentOS 6 wasn’t out when I tried this but it should just work).
For Red Hat Enterprise Linux 6 you will also need the RHN Optional Channel enabled so you can get ruby-selinux.

So let proceed onto how to get, compile and install LXC:

$ wget http://downloads.sourceforge.net/project/lxc/lxc/lxc-0.7.3/lxc-0.7.3.tar.gz
$ rpmbuild -ta lxc-0.7.3.tar.gz
$ yum --nogpg install lxc-0.7.3-1.x86_64.rpm libvirt
$ mkdir /var/lib/lxc /usr/lib64/lxc/rootfs /etc/lxc /cgroup
$ cat >> /etc/fstab < none /cgroup cgroup defaults 0 0
EOF
$ mount /cgroup

If your using DHCP on your network you can easily setup network bridging by doing the following:

?
$ cat > /etc/sysconfig/network-scripts/ifcfg-br0 <> /etc/sysconfig/network-scripts/ifcfg-eth0 < BRIDGE=br0
EOF<strong>
strong>$ service network restart

And voila! LXC is now configured and ready for use, now all you need to do is install a LXC container.
Hint: I typically create a dedicated LVM Volume Group and Logical Volume for each LXC container and mount them under /srv/lxc/ e.g. /src/lxc/myvirtualbox in order to prevent it spilling over into the hosts file system and impacting other services.
You need to already have or create a lxc template here’s a link on how you can create one based on Centos 5.

Here’s some additional stuff I do: Chroot into the template and disable Bluetooth

$ chkconfig bluetooth off

Delete the ssh *key and *.pub from /etc/ssh

$ for key in `ls /etc/ssh/* | grep -e key -e pub` ; do echo rm $key ; done

Remove the HWADDR setting in the /etc/sysconfig/network-scripts/ifcfg-eth0

$ sed -i 's/HWADDR.*$//g' /etc/sysconfig/network-scripts/ifcfg-eth0

Ensure that tty’s 1-4 are not commented out in /etc/inittab from each image before packaging the template up.

After that’s done and you have your template on your LXC host and are ready to deploy it.

cd /srv/lxc
mkdir myvirtualbox
tar zxvf /path/to/template/tar/gz/file
vi /etc/lxc/myvirtualbox.conf

Paste the following into the file (adjust as necessary):

lxc.utsname = myvirtualbox
lxc.tty = 4
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.ipv4 = 0.0.0.0/24
lxc.rootfs = /srv/lxc/myvirtualbox
lxc.mount = /etc/lxc/myvirtualbox.fstab
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm

Save the file and create a new fstab file

Save the file and create a new fstab file

Paste in the following data and edit as necessary

none /srv/lxc/myvirtualbox/dev/pts devpts defaults 0 0
none /srv/lxc/myvirtualbox/proc proc defaults 0 0
none /srv/lxc/myvirtualbox/sys sysfs defaults 0 0
none /srv/lxc/myvirtualbox/dev/shm tmpfs defaults 0 0

Now you can create myvirtualbox lxc container by typing in

$ lxc-create -f /etc/lxc/myvirtualbox.conf -n myvirtualbox

And fire it up and a console to go with it using screen:

$ screen -dmS init-myvirtualbox /usr/bin/lxc-start -n myvirtualbox
$ screen -dmS console-myvirtualbox /usr/bin/lxc-console -n myvirtualbox

You can now use the following command to see the init boot session

$ screen -r
init-myvirtualbox

To see and interact with the console.

$ screen -r console-
myvirtualbox

JBoss 5.1.0A RPM Spec

lesliebuna — Sun, 01 Jan 2012 04:43:25 +0000

I know some of you out there are running JBoss 5.1.0 GA, so not to let you all feel left out, I’ve created an RPM Spec file to let you easily package and roll out your own 5.1.0 packages.

Name: jbossas5
Version: 5.1.0.GA
Release: 1
Group: Internet/WWW/Servers
Summary: JBoss Application Server
Vendor: Red Hat
URL: http://www.jboss.org/
BuildArch: noarch
License: LGPL
Source0: http://downloads.sourceforge.net/project/jboss/JBoss/JBoss- 5.0.1.GA/jboss-%{version}-jdk6.zip
Source1: %{name}.init
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: shadow-utils
Requires: java >= 1:1.6.0

%description

JBoss Application Server (or JBoss AS) is a free software/open-source
Java EE-based application server. An important distinction for this
class of software is that it not only implements a server that runs
on Java, but it actually implements the Java EE part of Java. Because
it is Java-based, the JBoss application server operates cross-platform:
usable on any operating system that supports Java.

JBoss AS was developed by JBoss, now a division of Red Hat.

%prep
%setup -n jboss-%{version}

%install
rm -rf %{buildroot}
install -d -m 755 %{buildroot}/opt/%{name}

cp -R . %{buildroot}/opt/%{name}
install -d -m 755 %{buildroot}%{_initrddir}
install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig
install -p -m 755 %{SOURCE1} %{buildroot}%{_initrddir}/%{name}
rm -rf %{buildroot}/opt/%{name}/server/*/deploy/ROOT.war

%clean
rm -rf %{buildroot}

%files
%defattr(-,jboss,jboss)
/opt/%{name}
%attr(0755,root,root) %{_initrddir}/%{name}

%pre
getent group jboss >/dev/null || groupadd -r jboss
getent passwd jboss >/dev/null || \
useradd -r -g jboss -d /opt/${name} -s /bin/bash -c "JBoss AS Daemon" jboss
exit 0

%changelog
* Mon Dec 6 2010 Martin Jackson 5.1.0.GA-1
- Initial creation

All you need to do is download the 5.1.0 JDK version of Jboss from Sourceforge, copy the jboss_init_redhat.sh from the bin directory of the zip file to your SOURCES directory.