Thursday, April 12, 2012

CentOS 6.2 lighttpd reverse proxy server and Selinux

Situation
Setting up lighttpd as a reverse proxy in front of a java web server.

System
CentOS 6.2 x64 running as a virtual guest

Errors
Error in /var/log/lighttpd/error.log

server started
connect failed: 8 Permission denied 13
proxy-server disabled: 127.0.0.1 9000 8

Error in /var/log/audit/audit.log (selinux)
type=AVC msg=audit(1334211267.437:7950): avc:  denied  { name_connect } for  pid=21529 comm="lighttpd" dest=9000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1334211267.437:7950): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7fff20ab9060 a2=10 a3=1999999999999999 items=0 ppid=1 pid=21529 auid=500 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=498 sgid=498 fsgid=498 tty=(none) ses=19 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Error shown in web browser
500 - Internal Server Error

Diagnosis
run "semanage port -l | grep http_port_t"
It should show the allowed ports for the web servers.

Solution
semanage port -a -t http_port_t -p tcp 9000
(or whichever port the internal web server is supposed to run on, that is not in the list above)



Friday, February 24, 2012

Headless KVM setup on CentOS 6.2

Host machine: CentOS 6.2, 64-bit
Guest machine: CentOS 6.2, 64-bit

This is a quick run through of the commands and steps necessary for the setup to work on a headless (no GUI) machine. But even so, we will use a remote VNC client to access the server to setup and configure the guest machine.

I assume that
- virtualization is enabled in the BIOS of the host machine (important!)
- root privileges is available
- the base system is up and running somewhere remotely and can be accessed via SSH
- opening a port on the firewall(s) to allow access to the VNC server on the host machine.
- a copy of "CentOS-6.2-x86_64-minimal.iso" or similar has been downloaded and placed on the host machine at "/var/lib/libvirt/images"
- selinux is configured in "enforcing" mode.
- your host machine has sufficient resources to run your guests (remember to live enough ram for your host server)
- the person trying this is not a newbie system administrator. If your remote box do go down, ensure you are able to reboot it (physically or by calling the data center staff).

1. Install the tools required
yum install kvm libvirt python-virtinst


You will also require the dmidecode package if you are using the minimal edition of CentOS 6.2.
yum install dmidecode 
(noticed that this was missing by observing /var/log/libvirt/libvirtd.log)

2. Check that kvm is installed
lsmod | grep kvm 

The above command should output 2 entries, for example "kvm_intel" or "kvm_amd" and "kvm"

3. Create a secure location for your live images 
Assuming we are creating /vm which is only accessible by root.
Selinux only allows libvirt to store images in /var/lib/libvirt/images  but we don't want to mix the ISO images with live/running virtual guests.

mkdir /vm 
yum install policycoreutils-python 
semanage fcontext -a -t virt_image_t "/vm(./*)?"
restorecon -R /vm

If you can't do this, you can always host your guest images next to your ISO files in /var/lib/libvirt/images.

4. Network reconfiguration
We will need to create a bridged network that will route the host and guest network traffic seamlessly. This step can be skipped if the guest machines do not require network access.

cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-br0

Edit  /etc/sysconfig/network-scripts/ifcfg-eth0 to something like the following:

DEVICE="eth0"
HWADDR=00:1D:09:EF:F7:04 (make sure this corresponds to your actual MAC address)
ONBOOT=yes
BRIDGE=br0 (important! make sure this entry goes in)
TYPE=Ethernet
IPV6INIT=no (prevent IPv6 from starting)

Edit  /etc/sysconfig/network-scripts/ifcfg-br0 to something like the following:
DEVICE="br0" (important!)
TYPE=Bridge (important!)
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.1.11 (change this to your current internet accessible IP)
PREFIX=24
GATEWAY=192.168.1.1 (change this)
DNS1=192.168.1.11 (change this)

Double-check your entries, especially the IP addresses!

5. Reboot
Cross your fingers and hit the reboot. If it doesn't work, you'll know it. :P

If it works, you know you will be able to reboot your machine remotely as many times as you like because it works. Better to fail now than to fail when you have multiple live guests running and you need to do some maintenance. :P

6. Back online?
Edit qemu.conf
uncomment the vnc_listen and vnc_password entries.

vnc_listen = "0.0.0.0" - this means the vnc server is listening on all network interfaces.
vnc_password, please change it to something long, very long (20 characters and above) to prevent bruteforce attacks. DO NOT USE THE DEFAULT VALUES!

restart libvirtd so the changes will take effect (maybe a reload might do)
service libvirtd restart

7. Poke a hole in the firewall
Open a hole in the firewall for a non-common, non-privileged port (we will be using 7601).

8. Guest OS installation
virt-install \
-n myguest \
-r 2048 \
--vcpus=2 \
--os-variant=rhel6 \
-v \
--accelerate \
-c /var/lib/libvirt/images/CentOS-6.2-x86_64-minimal.iso \
-w bridge:br0 \
--vnc --vncport=7601 \
--disk path=/vm/guest.img,size=100

(100 refers to 100GB)

Once you key this in, it will throw something about errors with the virt-viewer. This is FINE. You are not running X-windows so this error is normal. You will need to start a VNC client to access the guest os installation.


9. Start your vnc (ultravnc or tightvnc viewer)
connect to the IP:Port on the host machine
in our example 192.168.1.11:7601

You will see the familiar but customized (minimal edition) CentOS installer. If you are fast enough, you might even be able to catch the bootup screen. Please note that the VNC server for this guest OS does not start until you perform the virt-install command. You can check this by looking for the process listening on port 3764. Perform a "netstat -pant | grep 7601" and you should see something like
tcp        0      0 0.0.0.0:7601                0.0.0.0:*                   LISTEN      3109/qemu-kvm

10. Start it up again, for real
Once done, it will not reboot even though you click on the "reboot" button. You will need to start it up manually.
virsh start myguest


You can do a "virsh list" to look at the status of your guest machines.

Reconnect your vnc client to see if there are errors in the booting up process.

Can you login via the VNC client to the root account which you defined during the installation process? If ok, then you can kill the VNC client.

11. Post-installation

Remember to disable the firewall rule for TCP port 7601 or whichever port you have chosen.

Patch / update the software on your base guest image, you might want use it as a base for cloning more guest OS, thus saving you lots and lots of time.

Hope this helps.