Friday, November 15, 2013

cisco VPN with openconnect and Belgian EID

This is a quick howto to get the Belgian EID working with openconnect and connect to a cisco VPN. This will probably work for other pki cards too, but I can ofcourse only test with my EID.
The steps below are done on a Fedora 18 box. Fedora 18 comes out of the box with the software for cardreaders and cards. So I will not address this here. Find the relevant info for your distro if opensc / pcsc is missing.
If you have the right software you will be able to check for your reader with:
# opensc-tool --info
opensc 0.12.2 [gcc  4.7.1 20120720 (Red Hat 4.7.1-5)]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
# opensc-tool --list-readers
Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
It's a Dell with built-in smartcard reader.
If you insert a card the reader should detect it and you can ask for the name of the card:
# opensc-tool --name
Using reader with a card: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
Belpic cards
Openconnect uses pkcs. So in order that pkcs11 can use the cardreader, it should be linked to opensc. This isn't out of the box (yet). So configure that pkcs11 loads the opensc module by creating the following file:
# cat /etc/pkcs11/modules/opensc.module
module: opensc-pkcs11.so
Now you can test your EID card with p11tool. If all works well, it will ask for your pin and displays the certs.
# p11tool --list-certs --login
Token 'BELPIC (Basic PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=%28unknown%29;serial=123456789ABCDEF;token=BELPIC%20%28Basic%20PIN%29' requires user PIN
Enter PIN: 
Object 0:
    URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=123456789ABCDEF;token=BELPIC%20%28Basic%20PIN%29;id=%02;object=Authentication;object-type=cert
    Type: X.509 Certificate
    Label: Authentication
    ID: 02

Object 1:
    URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=123456789ABCDEF;token=BELPIC%20%28Basic%20PIN%29;id=%03;object=Signature;object-type=cert
    Type: X.509 Certificate
    Label: Signature
    ID: 03

Object 2:
    URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=123456789ABCDEF;token=BELPIC%20%28Basic%20PIN%29;id=%04;object=CA;object-type=cert
    Type: X.509 Certificate
    Label: CA
    ID: 04

Object 3:
    URL: pkcs11:library-description=Smart%20card%20PKCS%2311%20API;library-manufacturer=OpenSC%20%28www.opensc-project.org%29;model=PKCS%2315;manufacturer=%28unknown%29;serial=123456789ABCDEF;token=BELPIC%20%28Basic%20PIN%29;id=%06;object=Root;object-type=cert                                                            
    Type: X.509 Certificate
    Label: Root
    ID: 06
To make the connection to cisco we need the Authentication and the CA for the chain. The current version doesn't pick up the CA automatically from the card. This will be fixed in future version of gnutls (current git or 3.2.7 when it's released; thxs to Nikos Mavrogiannopoulos). In order to include the CA (when it's not done automatically), you can export the CA to a file. Remember to copy the right string from the --list-certs output. Here we see that the CA is id=04 and object-type=cert. Copy the URL from token= till the end and put 'pkcs11:' in front of it:
# p11tool --export 'pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%04;object=CA;object-type=cert' --login --outfile myca.crt
Token 'BELPIC (Basic PIN)' with URL 'pkcs11:model=PKCS%2315;manufacturer=%28unknown%29;serial=123456789ABCDEF;token=BELPIC%20%28Basic%20PIN%29' requires user PIN
Enter PIN: 
# head -1 myca.crt
-----BEGIN CERTIFICATE-----
The file should start with a line as shown above.
So we have the CA (myca.crt) and the Authentication (id=02). Now you can make the connection with following command:
# openconnect -v --cafile myca.crt -c 'pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02' https://vpn.example.com
Attempting to connect to server a.b.c.d:443
Using PKCS#11 certificate pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02;object-type=cert;pin-source=openconnect%3a0x1582910
PIN required for BELPIC (Basic PIN)
Enter PIN:
Using PKCS#11 key pkcs11:token=BELPIC%20%28Basic%20PIN%29;id=%02;object-type=private;pin-source=openconnect%3a0x1582910
Using client certificate 'Christof Haerens (Authentication)'
Adding supporting CA 'Citizen CA'
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com
GET https://vpn.example.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Thu, 07 Nov 2013 22:14:24 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com
GET https://vpn.example.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: ***********
Set-Cookie: ***********
Set-Cookie: ***********
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1380, snd mss 1380, adv mss 1460, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK 

An important part in the output is the line Adding supporting CA 'Citizen CA'. This shows that our CA is loaded.

Many thanks go to David Woodhouse of infradead, who was kind enough to help me debugging on parts where I was stuck.

Monday, December 3, 2012

cursorline, cursorcolumn and syntax making vim slow with ruby files

I recently upgraded to fedora 17 and I noticed today that my cursor movement in vim was getting really slow, so started testing and soon discovered that disabling cursorcolumn and cursorline setting fixed the slowdown.
Now the weird part is that this worked fine before. This even works fine when ssh to a machine with a older 7.x version of vim (rhel5). So testing further also revealed that having cursorline/column on and syntax checking off worked also fine. Furthermore I found out that the slowdown only occurs when editing ruby files.
So as soon as I have one of the cursor options on along with syntax on, things really slow down. And my ruby script has only 300 lines. I Tested vim also on a large perl script (5000+ lines) and noticed only a really tiny slowdown (only because I was paying attention, in day to day operation I wouldn't have noticed). So don't know if anybody knows if this is a (recent) bug in the ruby syntax checking or has the ruby syntax checking become that heavy that things are slow? I understand that screen redraws slow things down, but if redraw was the issue here then the perl file would also suffer from the slowdown
Also have found some interesting things other people tried as a slowdown wordkaround here http://briancarper.net/blog/590/cursorcolumn--cursorline-slowdown and here https://gist.github.com/2624765

Tuesday, November 27, 2012

Citrix Xenserver 6.1 + glusterfs test on vmare workstation 9

To organize my servers online and to seperate my different services I need several virtual machines. As a system admin I also like as much as possible control over my systems. So I want a redundant pool setup without spending too much money.
The idea is to rent 2 hardware servers for this and create a 2 node XenServer pool with glusterfs to replicate the storage to the 2 nodes and have it available via NFS. That way I can have live migration and also quickly start the virtual machines on the other node if one of the nodes goes down.

So I did a test-setup of my idea on vmware workstation 9 (since it supports intel-vt emulation). I created 2 virtual machines (xen1 and xen2) with 2 host-only networks (choose centos 64 bit, go along with the defaults (pick your own mem & disk size ofcourse), change the processor setting and activate "Virtualize Intel VT-x", redirect your dvd to the xenserver iso, remove floppy, printer and soundcard (you could even delete the usb)). The first host-only network (192.168.8.0/24) I use for admin and connecting (it is natted via my iptables on my fedora 16) and the second (192.168.9.0/24) I use for glusterfs and is not routed.
Xenserver is freely available from http://www.citrix.com/downloads/xenserver.html. In order to download you have to create an plain account on the citrix website. You can also download the xencenter admin tool but it's automatically available after xenserver install.

Next thing after xenserver is installed (the install is pretty straightforward so won't explain it here in detail, enough info via google if you need it) is to download and install glusterfs. You can download the glusterfs, glusterfs-fuse, glusterfs-server pkgs from the website http://download.gluster.org/pub/gluster/glusterfs/3.3/3.3.1/CentOS/epel-5/i386/ Scp the pkgs to both nodes and install them

[root@xen1 ~]# yum localinstall ./glusterfs-*rpm --nogpg -y 
Loaded plugins: fastestmirror
Setting up Local Package Process
Examining ./glusterfs-3.3.1-1.el5.i386.rpm: glusterfs-3.3.1-1.el5.i386
Marking ./glusterfs-3.3.1-1.el5.i386.rpm to be installed
Loading mirror speeds from cached hostfile
Examining ./glusterfs-fuse-3.3.1-1.el5.i386.rpm: glusterfs-fuse-3.3.1-1.el5.i386
Marking ./glusterfs-fuse-3.3.1-1.el5.i386.rpm to be installed
Examining ./glusterfs-server-3.3.1-1.el5.i386.rpm: glusterfs-server-3.3.1-1.el5.i386
Marking ./glusterfs-server-3.3.1-1.el5.i386.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package glusterfs.i386 0:3.3.1-1.el5 set to be updated
---> Package glusterfs-fuse.i386 0:3.3.1-1.el5 set to be updated
---> Package glusterfs-server.i386 0:3.3.1-1.el5 set to be updated
--> Finished Dependency Resolution

...

Installed:
  glusterfs.i386 0:3.3.1-1.el5                  glusterfs-fuse.i386 0:3.3.1-1.el5                  glusterfs-server.i386 0:3.3.1-1.el5                 

Complete!

Don't forget to enable the services at boot time. And to start them (which I won't do here since I will reboot after I have cleared the local storage).
[root@xen1 ~]# chkconfig --list|grep gluster
glusterd        0:off 1:off 2:off 3:off 4:off 5:off 6:off
glusterfsd      0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@xen1 ~]# chkconfig glusterd  on
[root@xen1 ~]# chkconfig glusterfsd on
Since my VMs only have one disk (typical like rented hw servers) and that xenserver takes all of the disk at installation I needed some space for my glusterfs bricks. It is possible not to let xenserver use the disk for guest storage at installation, but then you have to install via and automated installation file (See appendix C of the installation doc)
You can also delete this local guest storage afterwards (on both nodes): find the sr-uuid for the local storage, find the pbd, unplug the pbd, remove the sr and clean the lvm config.
[root@xen1 ~]# xe sr-list host=xen1 name-label=Local\ storage 
uuid ( RO)                : 46416544-9eba-7734-efc5-800b2deba55b
          name-label ( RW): Local storage
    name-description ( RW): 
                host ( RO): xen1
                type ( RO): lvm
        content-type ( RO): user


[root@xen1 ~]# xe pbd-list sr-uuid=46416544-9eba-7734-efc5-800b2deba55b
uuid ( RO)                  : 41748cf2-c4ad-0610-9489-256e3e1d483c
             host-uuid ( RO): 7d306eb1-3ba0-4491-937a-373a809a0488
               sr-uuid ( RO): 46416544-9eba-7734-efc5-800b2deba55b
         device-config (MRO): device: /dev/sda3
    currently-attached ( RO): true


[root@xen1 ~]# xe pbd-unplug uuid=41748cf2-c4ad-0610-9489-256e3e1d483c

[root@xen1 ~]# xe sr-forget uuid=46416544-9eba-7734-efc5-800b2deba55b

[root@xen1 ~]# vgdisplay -C
  VG                                                 #PV #LV #SN Attr   VSize  VFree 
  VG_XenStorage-46416544-9eba-7734-efc5-800b2deba55b   1   1   0 wz--n- 11.99G 11.98G

[root@xen1 ~]# vgremove VG_XenStorage-46416544-9eba-7734-efc5-800b2deba55b
Do you really want to remove volume group "VG_XenStorage-46416544-9eba-7734-efc5-800b2deba55b" containing 1 logical volumes? [y/n]: y
Do you really want to remove active logical volume MGT? [y/n]: y
  Logical volume "MGT" successfully removed
  Volume group "VG_XenStorage-46416544-9eba-7734-efc5-800b2deba55b" successfully removed

[root@xen1 ~]# pvdisplay -C
  PV         VG   Fmt  Attr PSize  PFree 
  /dev/sda3       lvm2 a-   12.00G 12.00G

[root@xen1 ~]# pvremove /dev/sda3
  Labels on physical volume "/dev/sda3" successfully wiped
[root@xen1 ~]# reboot
I reboot here so I'm sure the nodes come up without the local storage and my glusterfs services are started.

Next step is to install XenCenter. For those unfamiliar with XenServer: XenCenter is the GUI admin tool and runs on windows and neet the .NET framwork. To install it, open your browser in your windows and point it to the admin ip of 1 of the 2 xenhosts. Download the msi and start the install. Most things you can do via the CLI also but I know some people like a GUI too :-). In my setup used the GUI to configure the secundary ip (for my dedicated glusterfs network) on both nodes and also to create a pool with the 2 nodes.

Time to setup to glusterfs. Glusterfs uses xattr so best filesystem to use is ext4 or xfs. XenServer includes the kernel modules, but not the tools. The ext4 tools can be installed via the Centos base repo. (On both nodes) Edit the repo file and enable (enabled=1) the base repo and then install the e4fsprogs.

[root@xen1 ~]# vi /etc/yum.repos.d/CentOS-Base.repo 
[root@xen1 ~]# yum install e4fsprogs -y
We can now (again on both nodes) create a new filesystem on the partition and mount it (I have ommited the output of the cmds):
[root@xen1 ~]# mkfs.ext4 -m 0 -j /dev/sda3
[root@xen1 ~]# mkdir -p /export/xen1-vol0
[root@xen1 ~]# echo "/dev/sda3   /export/xen1-vol0   ext4  defaults 1 2" >> /etc/fstab 
[root@xen1 ~]# mount -a
On the second node I mount the filesystem on /export/xen2-vol0. So my mount points match the pattern replica_host-volname. When all in place we can create the glusterfs replica. If it is the first volume we create we need to let both glusterfs nodes know of each other:
[root@xen1 ~]# gluster peer probe 192.168.9.201
Performing this command on xen1 automatically adds also 192.168.9.200 (xen1) as peer on xen2. If you are using hostnames instead of ips and also wanna see the hostnames in the glusterfs config and output you need to run the peer probe command with the hostname on BOTH nodes. If you use ips, running on 1 nodes is enough.
Create the volume as replica to the 2 nodes (run on 1 node):
[root@xen1 ~]# gluster volume create vol0 replica 2 192.168.9.200:/export/xen1-vol0 192.168.9.201:/export/xen2-vol0
We will use this volume via NFS as a storage repo on XenServer. We will mount to localhost. This way all hosts in the pool will mount to localhost and since both hosts have a replica this will work. Glusterfs values consistency over performance. So when all replicas are up, a write is returned as OK when all replicas have commited. In case a host2 fails the guest can be started on host1 since his replica will have the same state as when host2 went down. When host2 comes up again glusterfs will start the autoheal so you can safely start guests on node2 again (although the healing process can slow down the startup of the guests).
Glusterfs has built-in NFS (version 3 tcp, no udp) and CIFS. XenServer needs NFS on port 2049 in order to add it as a SR. So we set the port and then start the volume (volumes are started automatically when the hosts start up):
[root@xen1 ~]# gluster volume set vol0 nfs.port 2049
[root@xen1 ~]# gluster volume start vol0
You can check the status of the volume and the nfs port (it can be that the gluster services need to be restarted for the nfs port):
[root@xen1 ~]# gluster volume status vol0
Status of volume: vol0
Gluster process      Port Online Pid
------------------------------------------------------------------------------
Brick 192.168.9.200:/export/xen1-vol0   24009 Y 7024
Brick 192.168.9.201:/export/xen2-vol0   24009 Y 7076
NFS Server on localhost     2049 Y 7030
Self-heal Daemon on localhost    N/A Y 7042
NFS Server on 192.168.9.201    2049 Y 7082
Self-heal Daemon on 192.168.9.201   N/A Y 7088

So only thing left to do is open XenCenter and add a NFS SR. As described earlier, use localhost. All volumes are exported under /. You can change this with the gluster volume set command, but for this I refer to the excellent docs on the glusterfs website. So in my setup my nfs target is localhost:/vol0

[root@xen1 ~]# xe sr-list type=nfs
uuid ( RO)                : 8629a755-9aee-322f-62b9-a43630c9d9d1
          name-label ( RW): gluster-vol0
    name-description ( RW): NFS SR [localhost:/vol0]
                host ( RO): 
                type ( RO): nfs
        content-type ( RO): 
Good luck !!

Tuesday, September 13, 2011

Dual booting RHEL6 and Citrix Xenserver 6 beta

If you have limited hardware resources available and you want to test multiple virtualization solution then dual boot comes to the rescue. Citrix Xenserver claims the whole disk for itself, so we need at least two disks. If you have raid card in the server, just create 2 or more logical disks. Otherwise you need at least 2 physical disks.
Install Xenserver 6 beta on the first disk (sda in my case). After that install RHEL 6 (or centos6 or scientific linux 6 or ..) on the second disk (sdb in my case) and install grub on the first disk (sda). Don't modify the grub during RHEL install, we will do that later. After the install boot in RHEL6 (Well xenserver is out of the questions since our grub for now only can boot rhel6).
Mount the root disk of the xenserver in rhel6 /mnt and get the boot params:
[root@host1 ~]# mount /dev/sda1 /mnt
[root@host1 ~]# cat /mnt/boot/extlinux.conf
# location mbr
serial 0 115200
default xe
prompt 1
timeout 50

label xe
  # XenServer
  kernel mboot.c32
  append /boot/xen.gz dom0_mem=752M lowmem_emergency_pool=1M crashkernel=64M@32M console= vga=mode-0x0311 --- /boot/vmlinuz-2.6-xen root=LABEL=root-bhsbdzef ro xencons=hvc console=hvc0 console=tty0 quiet vga=785 splash --- /boot/initrd-2.6-xen.img

label xe-serial
  # XenServer (Serial)
  kernel mboot.c32
  append /boot/xen.gz com1=115200,8n1 console=com1,vga dom0_mem=752M lowmem_emergency_pool=1M crashkernel=64M@32M --- /boot/vmlinuz-2.6-xen root=LABEL=root-bhsbdzef ro console=tty0 xencons=hvc console=hvc0 --- /boot/initrd-2.6-xen.img

label safe
  # XenServer in Safe Mode
  kernel mboot.c32
  append /boot/xen.gz nosmp noreboot noirqbalance acpi=off noapic dom0_mem=752M com1=115200,8n1 console=com1,vga --- /boot/vmlinuz-2.6-xen nousb root=LABEL=root-bhsbdzef ro console=tty0 xencons=hvc console=hvc0 --- /boot/initrd-2.6-xen.img

label fallback
  # XenServer (Xen 4.1.1 / Linux 2.6.32.12-0.7.1.xs5.9.960.497.170655xen)
  kernel mboot.c32
  append /boot/xen-4.1.1.gz dom0_mem=752M lowmem_emergency_pool=1M crashkernel=64M@32M --- /boot/vmlinuz-2.6.32.12-0.7.1.xs5.9.960.497.170655xen root=LABEL=root-bhsbdzef ro xencons=hvc console=hvc0 console=tty0 --- /boot/initrd-2.6.32.12-0.7.1.xs5.9.960.497.170655xen.img

label fallback-serial
  # XenServer (Serial, Xen 4.1.1 / Linux 2.6.32.12-0.7.1.xs5.9.960.497.170655xen)
  kernel mboot.c32
  append /boot/xen-4.1.1.gz com1=115200,8n1 console=com1,vga dom0_mem=752M lowmem_emergency_pool=1M crashkernel=64M@32M --- /boot/vmlinuz-2.6.32.12-0.7.1.xs5.9.960.497.170655xen root=LABEL=root-bhsbdzef ro console=tty0 xencons=hvc console=hvc0 --- /boot/initrd-2.6.32.12-0.7.1.xs5.9.960.497.170655xen.img

We have serveral boot labels, but I'm only interested in the first one. If you want more, you can add as many as you like.
Now we update our grub.conf with the info from the append line. Just after the append we find the kernel info, just until the first ---. After that we have the first module info and after the second --- we have the second module info. So my /etc/grub.conf (which is a link to /boot/grub/grub.conf) looks like:
default=0
timeout=25

title Red Hat Enterprise Linux (2.6.32-131.0.15.el6.x86_64)
	root (hd1,0)
	kernel /vmlinuz-2.6.32-131.0.15.el6.x86_64 ro root=/dev/mapper/vg_kvmtest1-root rd_LVM_LV=vg_kvmtest1/root rd_LVM_LV=vg_kvmtest1/swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet
	initrd /initramfs-2.6.32-131.0.15.el6.x86_64.img

title Citrix Xenserver 6.beta
	root (hd0,0)
	kernel /boot/xen.gz dom0_mem=752M lowmem_emergency_pool=1M crashkernel=64M@32M console= vga=mode-0x0311
	module /boot/vmlinuz-2.6-xen root=LABEL=root-bhsbdzef ro xencons=hvc console=hvc0 console=tty0 quiet vga=785 splash
	module /boot/initrd-2.6-xen.img
If you use ssh to connect to your servers (who doesnt?) and you use the same ip for rhel6 as xenserver, it can be handy to set both host keys the same (otherwise you will be constantly editing your know_hosts file). With still /mnt mounted you can:
[root@host1 ~]# \cp /mnt/etc/ssh/ssh_host* /etc/ssh/
[root@host1 ~]# /etc/jnit.d/sshd restart

Tuesday, August 30, 2011

Using mrepo on rhel6

Mrepo is a very handy tool written by Dag Wieers (@dagwieers) to download all rhn updates. Unfortunately, some things broke on rhel6 (dropped pkgs, versions, ..). The current mrepo el6 rpm therefore is not directly usable. Follow these steps if you want a working mrepo on rhel without patching. This howto is also useful for people in how to setup mrepo for rhn updates download in general. Please make sure you have the needed rhn subscriptions for your systems.

1. download latest mrepo from Github since these have already the needed patches:
https://github.com/dagwieers/mrepo

2. Download rhpl from one of dag repo mirrors. rhpl was dropped in rhel6. Dag has made a feature request to mrepo on Aug 1st 2011 to remove rhpl from mrepo so that the extra pkg would no longer be needed. But until then you still need the rhpl
ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el6/en/x86_64/dag/RPMS/rhpl-0.221-2.el6.rf.x86_64.rpm

3. Untar / unzip the latest mrepo and install it (you can also first build an rpm of it by running make rpm. But then you will need the necessary build rpms installed)
# tar xzf dagwieers-mrepo-736c07a.tar.gz

# cd dagwieers-mrepo-736c07a
# make install
install -Dp -m0755 gensystemid /usr/bin/gensystemid
install -Dp -m0755 mrepo /usr/bin/mrepo
...
install -Dp -m0644 config/mrepo.logrotate /etc/logrotate.d/mrepo
#


4. Generate the /etc/sysconfig/rhn/up2date-uuid file if you don't have one yet
# UUID=$(uuidgen)

# /bin/echo -e "uuid[comment]=Universally Unique ID for this server\nrhnuuid=$UUID" > /etc/sysconfig/rhn/up2date-uuid


5. Edit the /etc/mrepo file for your needs. Mine looks like this:
# cat /etc/mrepo.conf

[main]
srcdir = /export/mrepo
wwwdir = /export/mrepo
confdir = /etc/mrepo.conf.d
arch = x86_64
mailto = xxxxxxx
smtp-server = localhost
rhnlogin = xxx:xxx


6. Create a conf file for each rhel version you want to download in /etc/mrepo.conf.d/. I only need the rhel6 x86_64 updates. So this is how mine looks:
# cat /etc/mrepo.conf.d/rhel6-x86_64.conf 

[rhel6-x86_64]
name = Red Hat Server ($arch)
release = 6
arch = x86_64
metadata = repomd yum repoview

updates = rhns:///rhel-$arch-server-$release
#fastrack = rhns:///rhel-$arch-server-fastrack-$release
#rhn-tools = rhns:///rhn-tools-rhel-$arch-server-$release
#optional = rhns:///rhel-$arch-server-optional-$release
supplementary = rhns:///rhel-$arch-server-supplementary-$release


7. Remember that for each repo you download, you need a systemid file in the mrepo folder for that repo. So my mrepo dir is /export/mrepo (mrepo.conf) and the server config is rhel6-x68_64 (rhel6-x86_64.conf). So the systemid file should go into the folder /export/mrepo/rhel6-x68_64.
# cp /etc/sysconfig/rhn/systemid /export/mrepo/rhel6-x86_64/


8. My system has a systemid file because it was already registered with rhn. If you want to download other version / arch repo's on the same system, you can use gensystemid to create one
# gensystemid -r 6Server -a i386 /export/mrepo/rhel6-i386


9. All done. Now run mrepo
# mrepo -uvv

Verbosity set to level 2
Using configfile /etc/mrepo.conf
Setting option confdir in section [main] to: /etc/mrepo.conf.d
Setting option srcdir in section [main] to: /export/mrepo
Setting option wwwdir in section [main] to: /export/mrepo
Setting option mailto in section [main] to: xxxxxx
Setting option smtp-server in section [main] to: localhost
Setting option arch in section [main] to: x86_64
Setting option rhnlogin in section [main] to: xxx:xxx
rhel6-x86_64: Updating Red Hat Server (x86_64)
rhel6-x86_64: Mirror packages from rhns:///rhel-x86_64-server-supplementary-6 to /export/mrepo/rhel6-x86_64/supplementary
rhel6-x86_64: Repository supplementary changed (new: 28, removed: 1)
rhel6-x86_64: Mirror packages from rhns:///rhel-x86_64-server-6 to /export/mrepo/rhel6-x86_64/updates
...


10. mrepo has of course more useful options then just to download the updates from rhn. Have a look at the documentataion if you want for example want to include iso files or want run createrepo after the repos have been downloaded or if you want to download other repos then those from rhn.

I hope this quick how-to helps in getting you started with mrepo on rhel6.

Wednesday, August 11, 2010

Second hard drive in my laptop

My last 4 laptops are dell laptops (all 15.4"). First 3 were latitudes and my last is a precision. I'm happy with the hardware, linux (fedora that is) runs fines on it and support is good (in case you also have accidental coverage).
One of the specs of the latitude and precision series is that you can have a switch-able media tray for dvd or harddisk. The laptops come with dvd drive but there isn't an option on the website to order a media tray for a hard disk. So far that wasn't a problem, because who needs a 2nd hd in a laptop. 500gb hard disks for laptops are common these days. So 500gb should be enough.
But a couple of months ago, i switched to a 256GB sdd drive. So I had to trim my data on my 500GB sata hdd to fit on the 256GB disk (ok 512GB ssd also exists, but these are way too expensive). No problem, music files and other non critical files can be moved to an usb disk.
I also run several virtual machines on my laptop. I trimmed down the number of virtual machines to fit on the ssd. Moving virtual machines on a usb disk isn't really an option, because a) it's a hassle with external disks and cables b) performance is bad.
I'm really satisfied with my ssd, the speed is phenomenal, but the downside was I had to trim my data. This is one reason I started to look for the hdd media tray. Another reason is that I want to prevent degradation of my ssd. I've tuned my fedora and apps to wisely use the ssd storage (thus avoiding massive rewrites on the same blocks), but the problem is the virtual machines. Especially the windows machines... How could they know that there is an ssd beneath the virtual machine?
I had no luck on the dell site. I've found several forums with people looking for the same, but also they had no luck on the dell website. Eventually found a link in a forum to a media drive on the US dell, but that was only for 1.8" disks an not 2.5" disks. I have learned the last months that if google fails, you should try youtube. I know that sounds silly, but it actually worked for me several times. And also in this case it was a success. The search string "m4400 hdd" did the trick and led me (http://www.youtube.com/watch?v=f-V01PmnSRI) to the new mode us website (http://www.newmodeus.com). There you can order a drive bay that fits a 2.5" hdd. And this bay you can swap with the dvd drive in the laptop. Et voila... 2 hard disks in a 15.4" laptop. I ordered one Monday evening and the drive arrived today (Wednesday). So this is pretty fast considering the drive was shipped from California to Belgium. Unwrapped the tray, put 500gb disk in it, swapped dvd tray with hdd tray and there was the 500gb disk in my fedora. It also uses a sata connections (in my case for the dell 4400, the connection varies for other types of laptops), so the disk performs as good as like it was the internal disk.
# hdparm -T /dev/sdb1

/dev/sdb1:
Timing cached reads: 12656 MB in 1.99 seconds = 6358.40 MB/sec
# hdparm -t /dev/sdb1

/dev/sdb1:
Timing buffered disk reads: 220 MB in 3.02 seconds = 72.90 MB/sec


Now I can have all my data with me (without the hassle of usb disks and cables) and still use the speed of my ssd. Woot!

Friday, July 30, 2010

Creating text images via CLI on linux

Today I needed some text images. I could go to gimp and created it there, but I needed several and I really don't like repetitive work. The wonderful web is always your friend for these things.

So I found this blog that described creating a postscript page with enscript and converting this to a image format with convert. It boils down to the following command
$ echo "Some text" | enscript -B -f "Times-Roman36" -o - | convert -trim +repage -negate \
-border 2x2 -bordercolor gray - text.png

Enscript makes the postscript page. You can specify the font and the font size. (Enscript can do much much more then that (like creating tables), so be sure to check the manpage if you are interested in generating postscript files). With convert we trim it (remove whitespace around the text, so only the text remains and not a full page), negate it to make text white, make a 2 pixel border and make it gray. The result looks like this


Now I've used ImageMagick several times (I my opinion this is one hell of a CLI tool) and I think it was capable of generating text images itself (without the need of enscript). So I went throug the manpage and came op with the command
$ convert -background gray -fill white -font Times-Roman -pointsize 36 label:"Some text" \
text2.png

This produces:

Creating text with convert has much more possibilities. Have a look on the examples page for more info.
If you want to know which fonts are available, you can check the type-ghostscript file.
$ locate type-ghostscript.xml |grep ImageMagick
/usr/lib64/ImageMagick-6.5.8/config/type-ghostscript.xml
$ grep "type name=" /usr/lib64/ImageMagick-6.5.8/config/type-ghostscript.xml | sed -e \
's/.*type name=//' | awk '{print $1}'
"AvantGarde-Book"
"AvantGarde-BookOblique"
"AvantGarde-Demi"
"AvantGarde-DemiOblique"
"Bookman-Demi"
"Bookman-DemiItalic"
"Bookman-Light"
"Bookman-LightItalic"
"Courier"
"Courier-Bold"
"Courier-Oblique"
"Courier-BoldOblique"
"fixed"
"Helvetica"
"Helvetica-Bold"
"Helvetica-Oblique"
"Helvetica-BoldOblique"
"Helvetica-Narrow"
"Helvetica-Narrow-Oblique"
"Helvetica-Narrow-Bold"
"Helvetica-Narrow-BoldOblique"
"NewCenturySchlbk-Roman"
"NewCenturySchlbk-Italic"
"NewCenturySchlbk-Bold"
"NewCenturySchlbk-BoldItalic"
"Palatino-Roman"
"Palatino-Italic"
"Palatino-Bold"
"Palatino-BoldItalic"
"Times-Roman"
"Times-Bold"
"Times-Italic"
"Times-BoldItalic"
"Symbol"


You can always use a true type font on your system and use that
$ locate -r "\.ttf$"|grep -i liberation| grep -i mono
/usr/share/fonts/liberation/LiberationMono-Bold.ttf
/usr/share/fonts/liberation/LiberationMono-BoldItalic.ttf
/usr/share/fonts/liberation/LiberationMono-Italic.ttf
/usr/share/fonts/liberation/LiberationMono-Regular.ttf
$ convert -background gray -fill white -font /usr/share/fonts/liberation/LiberationMono-Bold.ttf -pointsize 36 label:"Some text" text3.png