12 Feb 2016
First off, this post is more for reminding myself of what to do. It’s incredibly incomplete and anyone who didn’t already know what they’re doing probably wouldn’t understand much of it anyways. Sorry if you were looking for something more informational.
# Add host so that you can mention it in the certificate request
ipa host-add mirrors.fedoraproject.org --desc="A fake host for supporting yum repo redirection"
# Add the HTTP service to this host
ipa service-add HTTP/mirrors.fedoraproject.org
# Allow mirror-server to "manage" the new service
ipa service-add-host HTTP/mirrors.fedoraproject.org --hosts=mirror-server.gringotts.idahoscientific.com
# Add host as Subject Alternative Name in certificate
ipa-getcert request -r -f /etc/pki/tls/certs/mirror-server.example.com.crt -k /etc/pki/tls/private/mirror-server.example.com.key -N "CN=mirror-server.example.com" -D mirror-server.example.com -D mirrors.fedoraproject.org -K HTTP/mirror-server.exmaple.com
I’ve recently been playing with getting a CentOS repository mirror setup on a local network. Eventually, the network wont be connected to the net and so it’ll be nice to be able to install new packages when needed. Also, I’ll probably be able to update the mirror every now and then so that machines can get access to the latest updates. We also have a lot of computers on this local network and it would be nice to take advantage of LAN speeds instead of the slower internet speeds, so this will be an added performance bonus.
The catch is that I want this to be as easy as possible for machines to start using.
Preferably, zero configuration on the host machines.
This means that I’ll have to override the DNS to redirect the mirrorlist urls in repo files located in /etc/yum.repos.d/
.
For example, the base repo will go to this mirrorlist url: http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock
.
The epel repo will go here: https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64
Redirecting these addresses are no problem.
I know there are a lot of people who will say that this is a bad idea, and generally it is.
However, since this will be on an isolated network without internet, I don’t think it’ll be as big of a problem as some might say.
The DNS entries happily point people to my mirror-server
virtual machine.
The only problem that comes up is that the epel repo wants to https instead of plain old http. In order to stop complaints about a self signed certificate I’ll need to generate a new certificate request and send it to my FreeIPA server to get it signed. Unfortunately, for the certificate to be issued, the hostname needs to match up with the hostname in the url. I really don’t want to name my machine, “mirrors.fedoraproject.org”, so I’ll need to use the Subject Alternative Name (SAN) of certificates to say that my certificate is also valid for mirrors.fedoraproject.org. You can try this with FreeIPA, but then it will complain about mirrors.fedoraproject.org not being a host.
So, now, getting to the point.
You’ll need to create a fake host by the name of mirrors.fedoraproject.org.
Then you can generate your certificate using the ipa-getcert
tool to request a certificate with SAN including mirrors.fedoraproject.org.
Here are the steps.
ipa host-add mirrors.fedoraproject.org --desc="A fake host for supporting yum repo redirection"
ipa-getcert request -r -f /etc/pki/tls/certs/mirror-server.example.com.crt -k /etc/pki/tls/private/mirror-server.example.com.key -N "CN=mirror-server.example.com" -D mirror-server.example.com -D mirrors.fedoraproject.org -K HTTP/mirror-server.exmaple.com
At this point, you should have the certificate and key stored in the locations provided on the ipa-getcert command. After configuring apache, I was now able to serve https pages from mirrors.fedoraproject.org.
10 Feb 2016
I’ve recently been trying to use open source software to set up some enterprise business stuff. I’m kind of upset with the quality of the open source software and the documentation. Things just don’t work the way you would expect them to!
Anyways, I’ve been pretty busy with life so I haven’t posted recently. I hope to be writing more soon!
04 Nov 2015
When it comes to writing posts to this blog, it’s nice to be able to see how things look before actually pushing to the live website. That way you don’t have to clutter up your history with a million commit messages each explaining how you made one minor tweak to the formatting. In order to help curb some of this history mess, wouldn’t it be great if you could host your own Github Pages server on your own development machine? Through the magic of open source software and tools this is exactly what you’re able to do.
Github actually has documentation that helps you get started with this. This is awesome that they’ve made this possible. However, it didnt’ work out-of-the-box on my CentOS 7 minimal system. Here’s what I did to get things going.
Install the following packages using yum:
Then install the bundler gem.
gem install bundler
Now, make a folder, then put the following into a Gemfile so that bundler can get all of the packages and their dependencies.
Once you’ve got that done, run bundle
and let it take care of the rest.
When you’re ready to serve your website, run a bundle exec jekyll server
and browse to the address that it outputs on the terminal.
If you want to do this all in one step, put the following into a script, make it executable, and then let it run!
30 Oct 2015
Sometimes you don’t want to open up a GUI to manage a virtual machine.
Sometimes you don’t even have the luxury of a graphical display. The other day
I ran into a problem where the virtual machine was hosted on a remote host and
I couldn’t figure out it’s IP address. I’ve read articles explaining that you
should just use arp
to get the IP/MAC address relation, but the VM connects
to the network via a bridge and apparently this doesn’t work. My connection to
the remote machine was over a slow link, so viewing the desktop would have been
painful.
Luckily, libvirt’s virsh
command allows you to connect to the serial port of
your virtual machine. Unfortunately, my VM doesn’t use the serial port by
default. Here, however, are the steps needed to have your linux VM connect to
the serial port. I’ve tested this with CentOS 6, but this should work with
other linux distributions.
Add console=tty0 console=ttyS0
to the kernel command line arguments of
/boot/grub/grub.conf
. This tells the kernel to use tty0
(your monitor) and
ttyS0
(the serial port) for it’s console. Now, when you boot up your machine,
you can use virsh console
to connect to the virtual machine. That’s it.
Pretty simple.
That’s great and all, but now wouldn’t it be nice to also view the grub console to choose which kernel to boot into? We can do that too.
Edit /boot/grub/grub.conf
and add the following lines.
serial --unit=0
terminal --timeout=5 serial console
This tells GRUB that the serial port to use is ttyS0 (unit 0) and for the terminal, use either the serial port or the console. GRUB only shows up on one of the terminal types. Either the serial port or the monitor (console) but not both. The timeout option specifies how long to wait before automatically choosing one. Without the timeout, it will just keep waiting for input on where to set the terminal. But that’s it!
Now I can work with my virtual machines even more on the command line.
20 Oct 2015
This is the command to build a simple qcow2 virtual machine disk that grows dynamically. I like to use this on my laptop so that it doesn’t chew through hard disk space.
qemu-img create -f qcow2 filename size
For example, qemu-img create -f qcow2 centos7.qcow2 40G
will create a 40G virtual disk for my CentOS VM.
On disk, it’s actually only 193KB to start out.
Eventually, this size will grow, but it wont take up the full 40G until
I took this right from the man pages for qemu-img
but I’m posting it for reference for myself.
This blog started when I realized that there are a lot of things that are really interesting. Things that I would either like to keep for reference or share with others. Primarily, this blog was started in hopes of focusing on firmware design in FPGAs. However, it also includes posts related to my work in system administration.