Generating Certificates with IPA

12 Feb 2016

TL;DR

First off, this post is more for reminding myself of what to do. It’s incredibly incomplete and anyone who didn’t already know what they’re doing probably wouldn’t understand much of it anyways. Sorry if you were looking for something more informational.

# Add host so that you can mention it in the certificate request
ipa host-add mirrors.fedoraproject.org --desc="A fake host for supporting yum repo redirection"
# Add the HTTP service to this host
ipa service-add HTTP/mirrors.fedoraproject.org
# Allow mirror-server to "manage" the new service
ipa service-add-host HTTP/mirrors.fedoraproject.org --hosts=mirror-server.gringotts.idahoscientific.com
# Add host as Subject Alternative Name in certificate
ipa-getcert request -r -f /etc/pki/tls/certs/mirror-server.example.com.crt -k /etc/pki/tls/private/mirror-server.example.com.key -N "CN=mirror-server.example.com" -D mirror-server.example.com -D mirrors.fedoraproject.org -K HTTP/mirror-server.exmaple.com

The Background

I’ve recently been playing with getting a CentOS repository mirror setup on a local network. Eventually, the network wont be connected to the net and so it’ll be nice to be able to install new packages when needed. Also, I’ll probably be able to update the mirror every now and then so that machines can get access to the latest updates. We also have a lot of computers on this local network and it would be nice to take advantage of LAN speeds instead of the slower internet speeds, so this will be an added performance bonus.

The catch is that I want this to be as easy as possible for machines to start using. Preferably, zero configuration on the host machines. This means that I’ll have to override the DNS to redirect the mirrorlist urls in repo files located in /etc/yum.repos.d/. For example, the base repo will go to this mirrorlist url: http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock. The epel repo will go here: https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64

The Grind

Redirecting these addresses are no problem. I know there are a lot of people who will say that this is a bad idea, and generally it is. However, since this will be on an isolated network without internet, I don’t think it’ll be as big of a problem as some might say. The DNS entries happily point people to my mirror-server virtual machine.

The only problem that comes up is that the epel repo wants to https instead of plain old http. In order to stop complaints about a self signed certificate I’ll need to generate a new certificate request and send it to my FreeIPA server to get it signed. Unfortunately, for the certificate to be issued, the hostname needs to match up with the hostname in the url. I really don’t want to name my machine, “mirrors.fedoraproject.org”, so I’ll need to use the Subject Alternative Name (SAN) of certificates to say that my certificate is also valid for mirrors.fedoraproject.org. You can try this with FreeIPA, but then it will complain about mirrors.fedoraproject.org not being a host.

So, now, getting to the point. You’ll need to create a fake host by the name of mirrors.fedoraproject.org. Then you can generate your certificate using the ipa-getcert tool to request a certificate with SAN including mirrors.fedoraproject.org. Here are the steps.

ipa host-add mirrors.fedoraproject.org --desc="A fake host for supporting yum repo redirection"
ipa-getcert request -r -f /etc/pki/tls/certs/mirror-server.example.com.crt -k /etc/pki/tls/private/mirror-server.example.com.key -N "CN=mirror-server.example.com" -D mirror-server.example.com -D mirrors.fedoraproject.org -K HTTP/mirror-server.exmaple.com

At this point, you should have the certificate and key stored in the locations provided on the ipa-getcert command. After configuring apache, I was now able to serve https pages from mirrors.fedoraproject.org.


Open Source Enterprise Rant...

10 Feb 2016

I’ve recently been trying to use open source software to set up some enterprise business stuff. I’m kind of upset with the quality of the open source software and the documentation. Things just don’t work the way you would expect them to!

Anyways, I’ve been pretty busy with life so I haven’t posted recently. I hope to be writing more soon!


Hosting Github Pages Locally

04 Nov 2015

When it comes to writing posts to this blog, it’s nice to be able to see how things look before actually pushing to the live website. That way you don’t have to clutter up your history with a million commit messages each explaining how you made one minor tweak to the formatting. In order to help curb some of this history mess, wouldn’t it be great if you could host your own Github Pages server on your own development machine? Through the magic of open source software and tools this is exactly what you’re able to do.

Github actually has documentation that helps you get started with this. This is awesome that they’ve made this possible. However, it didnt’ work out-of-the-box on my CentOS 7 minimal system. Here’s what I did to get things going.

Install the following packages using yum:

  • epel-release
  • ruby
  • ruby-devel
  • nodejs
  • zlib-devel
  • “@development tools”
sudo yum install -y epel-release
sudo yum install -y ruby ruby-devel nodejs zlib-devel "@development tools"

Then install the bundler gem. gem install bundler

Now, make a folder, then put the following into a Gemfile so that bundler can get all of the packages and their dependencies.

source 'https://rubygems.org'
gem 'github-pages'

Once you’ve got that done, run bundle and let it take care of the rest.

When you’re ready to serve your website, run a bundle exec jekyll server and browse to the address that it outputs on the terminal.

If you want to do this all in one step, put the following into a script, make it executable, and then let it run!

#!/bin/bash

# Install github pages


## dependencies
sudo yum install -y epel-release
sudo yum install -y ruby ruby-devel nodejs zlib-devel "@development-tools"

## bundler
gem install bundler

## install the github-pages gem
mkdir -p tmp/
cat <<"EOF" > tmp/Gemfile
source 'https://rubygems.org'
gem 'github-pages'
EOF

cd tmp/ && bundle

Virtual Machine Consoles

30 Oct 2015

Sometimes you don’t want to open up a GUI to manage a virtual machine. Sometimes you don’t even have the luxury of a graphical display. The other day I ran into a problem where the virtual machine was hosted on a remote host and I couldn’t figure out it’s IP address. I’ve read articles explaining that you should just use arp to get the IP/MAC address relation, but the VM connects to the network via a bridge and apparently this doesn’t work. My connection to the remote machine was over a slow link, so viewing the desktop would have been painful.

Luckily, libvirt’s virsh command allows you to connect to the serial port of your virtual machine. Unfortunately, my VM doesn’t use the serial port by default. Here, however, are the steps needed to have your linux VM connect to the serial port. I’ve tested this with CentOS 6, but this should work with other linux distributions.

Linux Console

Add console=tty0 console=ttyS0 to the kernel command line arguments of /boot/grub/grub.conf. This tells the kernel to use tty0 (your monitor) and ttyS0 (the serial port) for it’s console. Now, when you boot up your machine, you can use virsh console to connect to the virtual machine. That’s it. Pretty simple.

That’s great and all, but now wouldn’t it be nice to also view the grub console to choose which kernel to boot into? We can do that too.

GRUB Console

Edit /boot/grub/grub.conf and add the following lines.

serial --unit=0
terminal --timeout=5 serial console

This tells GRUB that the serial port to use is ttyS0 (unit 0) and for the terminal, use either the serial port or the console. GRUB only shows up on one of the terminal types. Either the serial port or the monitor (console) but not both. The timeout option specifies how long to wait before automatically choosing one. Without the timeout, it will just keep waiting for input on where to set the terminal. But that’s it!

Now I can work with my virtual machines even more on the command line.


Virtual Machine Disk Creation

20 Oct 2015

This is the command to build a simple qcow2 virtual machine disk that grows dynamically. I like to use this on my laptop so that it doesn’t chew through hard disk space.

qemu-img create -f qcow2 filename size

For example, qemu-img create -f qcow2 centos7.qcow2 40G will create a 40G virtual disk for my CentOS VM. On disk, it’s actually only 193KB to start out. Eventually, this size will grow, but it wont take up the full 40G until I took this right from the man pages for qemu-img but I’m posting it for reference for myself.


About Me

This blog started when I realized that there are a lot of things that are really interesting. Things that I would either like to keep for reference or share with others. Primarily, this blog was started in hopes of focusing on firmware design in FPGAs. However, it also includes posts related to my work in system administration.