Everything about nothing: installation

Showing posts with label installation. Show all posts

Wednesday, March 19, 2014

Installing OSSIM community edition in QEMU

Since OSSIM is based on Debian and it is a nightmare to compile it for something else (ehm, CentOS) I decided to use it in a headless QEMU virtual machine. To test the whole process, I first decided to do a regular installation of OSSIM, with display. But, I had a lot of obstacles while trying install OSSIM community edition in QEMU. It is even more interesting that when you google for ossim and qemu, there are almost no posts.

In the end, everything worked flawlessly but when using text based installation. To access text based installation edit boot command line (pressing TAB at the initial boot screen) and at the end add the following:

DEBIAN_FRONTEND=text

And that gave me text based installation. Basically, AlienVault uses Debian's installer so anything that can be configured for Debian, can be for OSSIM too. Take a look into manual for further information.

Few things to be aware of when doing this:

Don't use too small disk because the installation will stuck without any notification what happened.
I had problems with GUI based installation, and its fallback ncurses. The installation would stuck somewhere (e.g. in GUI after entering IP address, something would go wrong in package installation process, MySQL wasn't properly installed and there were errors that starting failed, apache wasn't properly installed and Web console wasn't accessible, etc.)

CentOS 6

On CentOS there is no qemu-kvm like in Fedora. Instead, you have to use libvirtd. Be sure that libvirt is installed, before continuing. That means packages virt-install and libvirt are installed. Additionally, libvirtd daemon must bi started.

So, first create file for disk image. You can do this using dd, but even better is to use fallocate(1) command. Also, fetch OSSIM ISO image file. Now, to start installation process use the following command:

virt-install -r 2560 --accelerate -n OSSIM \
--cdrom /tmp/AlienVault_OSSIM_64Bits_4.3.4.iso \
--os-variant=debiansqueeze --disk path=./sda.img \
-w bridge --graphics vnc,password=replaceme

In the previous command I'm giving to OSSIM 2.5G RAM (option -r), the name will be OSSIM, disk image is in the current directory (with respect to the command virt-install) and I'm using bridged networking. Finally, console will be available via VNC and the password for access is replaceme.

There are several error messages you might receive when trying to start installation process:

ERROR Error with storage parameters: size is required for non-existent disk '/etc/sysconfig/network-scripts/sda.img'

Well, this error message occured because I was trying to start installation process in the wrong directory, i.e. the one that didn't contain file for hard disk image.

The following error:

ERROR Failed to connect socket to '/var/run/libvirt/libvirt-sock': No such file or directory

means that libvirtd daemon isn't started. Start it using:

service libvirtd on

and don't forget to make it start every time you boot your machine:

chkconfig libvirtd on

The next error:

Starting install...
ERROR internal error Process exited while reading console log output: char device redirected to /dev/pts/1
qemu-kvm: -drive file=/root/AlienVault_OSSIM_64Bits_4.3.4.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw: could not open disk image /root/AlienVault_OSSIM_64Bits_4.3.4.iso: Permission denied

means that I placed ISO image in a directory where libvirt can not access it. Move image to, e.g. /tmp directory and try again.

After you managed to start installation process, connect to it using vncviewer application. libvirt-install binds vnc to localhost so you won't be able to access it directly from some remote host. This is actually OK, so you shouldn't change it, unless you know very well what you are doing. So, to connect to console, open terminal window and execute the following command:

ssh -L 5900:127.0.0.1:5900 host_where_installation_is_started

Now, in another terminal on local machine (i.e. the one where you started previous ssh command) run the following command:

vnc localhost

And that should be it. What happened is that with ssh you created a tunnel between your local machine and the remote where virtual machine is being installed. So, don't stop ssh until you vnc session is running!

Thursday, March 13, 2014

Installing Snort 2.9.6.0 on CentOS 6.5 64-bit

Some time ago I wrote a post about installing Snort 2.9.1 on CentOS 6. In the mean time I decided it's time to upgrade so the idea of this post is to document what changed with respect to that older post. In short, binary packages for CentOS 6 are now provided on the Snort's download page. So, you only need to download them and install (or install using URL). Yet, there is a problem with a libdnet dependency (I don't know which one was used during compilation, but it certainly wasn't the one in EPEL).

Compiling and installing

In case you want to rebuild them, the process is now almost without any problems. In the following text I'll assume that you started with a minimal CentOS installation with the following packages installed (and their dependencies, of course): gcc, make, bison, flex, autoconf, automake, rpmbuild.

First, download daq source rpm file. Before rebuilding it, you should install pcap-devel. This is actually something rpmbuild tool will warn you that you have to install. When you installed it, rebuild daq:

rpmbuild --rebuild daq

then, install it:

yum localinstall ~/rpmbuild/RPMS/x86_64/daq-2.0.2-1.x86_64.rpm

Next, for snort you'll need libdnet library which is in EPEL. So, first install EPEL:

yum install http://mirrors.neterra.net/epel/6/i386/epel-release-6-8.noarch.rpm

Then, install necessary packages:

yum install libdnet-devel zlib-devel

Those two aren't listed as dependencies in Snort's SRPM file, so you'll get some cryptic error message. Now, download Snort's srpm file and rebuild it using:

rpmbuild --rebuild snort-2.9.6.0-1.src.rpm

Now, install it using:

yum localinstall ~/rpmbuild/RPMS/x86_64/snort-2.9.6.0-1.x86_64.rpm

That's all there is for installation.

Configuring and running

I'll assume that you are installing a fresh instance, i.e. no previous configuration. In case there is previous installation be careful not to overwrite existing configuration. To configure snort you'll have to download snortrules archive. Then, unpack it:

mkdir ~/snort
tar xzf snortrules-snapshot-2960.tar.gz -C ~/snort
chown root.root ~/snort

Next you have to move files in their place. First, move basic configuration file:

mv -f snort/etc/* /etc/snort/

Note that I'm using force option of move command to overwrite existing files. Next, move rules to their place:

mv -i snort/rules snort/preproc_rules snort/so_rules /etc/snort/

Now, if you are using SELinux you should change context of the files you moved to /etc/snort directory. Do it using the following commands:

chcon -R system_u:object_r:snort_etc_t:s0 /etc/snort
chcon -R system_u:object_r:lib_t:s0 /etc/snort/so_rules/precompiled/RHEL-6-0/

You should now modify configuration file. Here is a diff of the changes I made:

--- snort.conf.orig 2014-03-13 11:25:53.889609831 +0100
+++ snort.conf 2014-03-13 11:37:32.419292894 +0100
@@ -42,16 +42,16 @@
###################################################

# Setup the network addresses you are protecting
-ipvar HOME_NET any
+ipvar HOME_NET 192.168.1.0/24

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

# List of DNS servers on your network
-ipvar DNS_SERVERS $HOME_NET
+ipvar DNS_SERVERS 192.168.1.8,192.168.1.9

# List of SMTP servers on your network
-ipvar SMTP_SERVERS $HOME_NET
+ipvar SMTP_SERVERS 192.168.1.20

# List of web servers on your network
ipvar HTTP_SERVERS $HOME_NET
@@ -101,13 +101,13 @@
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
-var RULE_PATH ../rules
-var SO_RULE_PATH ../so_rules
-var PREPROC_RULE_PATH ../preproc_rules
+var RULE_PATH rules
+var SO_RULE_PATH so_rules
+var PREPROC_RULE_PATH preproc_rules

# If you are using reputation preprocessor set these
-var WHITE_LIST_PATH ../rules
-var BLACK_LIST_PATH ../rules
+var WHITE_LIST_PATH rules
+var BLACK_LIST_PATH rules

###################################################
# Step #2: Configure the decoder. For more information, see README.decode
@@ -240,13 +240,13 @@
###################################################

# path to dynamic preprocessor libraries
-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
+dynamicpreprocessor directory /usr/lib64/snort-2.9.6.0_dynamicpreprocessor/

# path to base preprocessor engine
-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+dynamicengine /usr/lib64/snort-2.9.6.0_dynamicengine/libsf_engine.so.0

# path to dynamic rules libraries
-dynamicdetection directory /usr/local/lib/snort_dynamicrules
+dynamicdetection directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.0/

###################################################
# Step #5: Configure preprocessors

And you can download the complete snort.conf file that worked for me. Be careful, you need to change IP addresses in the configuration file to match your environment.

Finally, create two empty files, /etc/snort/rules/white_list.rules and /etc/snort/rules/black_list.rules.

Now, you should be able to start Snort, i.e.

# /etc/init.d/snortd start
Starting snort: Spawning daemon child...
My daemon child 1904 lives...
Daemon parent exiting (0) [ OK ]

Tuesday, June 18, 2013

Upgrading Alfresco

This is a short note on how I upgraded Alfresco. The basic idea was to just replace WAR files while keeping configuration files with local modifications intact. To be able to do that, I'll unpack WAR archive, integrate changes I made to running instance of Alfresco, create new WAR archives and place them in tomcat webapps folder so that he unpacks and deploys them.

Preparation

So, I downloaded Alfresco 4.2.c. More specifically, I downloaded file alfresco-community-4.2.c.zip. The version I had was 4.0.d.

To find out what configuration files are changed in the running instance I unpacked alfresco.war archive (that file is in the downloaded archive) into a separate directory using unzip command. I suggest that you create directory alfresco, enter that directory and then run unzip command. There, I run the following script:

#!/bin/bash
OLDPATH=/var/lib/tomcat6/webapps/alfresco/
for i in `find . -path ./WEB-INF/classes/alfresco/messages -prune -o -name \*properties -print`
do
# If file doesn't exist we don't need to check it, go to next one
[ -f $OLDPATH/$i ] || continue
# If the old and new files are the same, then skip it also
cmp -s $OLDPATH/$i $i && continue
# diff -uN $OLDPATH/$i $i | less
echo $i
done

The script showed me what files have changed:

./WEB-INF/classes/test/alfresco/test-hibernate-cfg.properties./WEB-INF/classes/alfresco/model/dataTypeAnalyzers_en.properties./WEB-INF/classes/alfresco/workflow/invitation-nominated-workflow-messages_ja.properties./WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/slingshot/wiki/move.post_it.properties./WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/slingshot/wiki/move.post_de.properties./WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/slingshot/wiki/move.post_nl.properties./WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/slingshot/wiki/move.post_es.properties./WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/slingshot/wiki/move.post_fr.properties./WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/slingshot/wiki/move.post_ja.properties./WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/slingshot/wiki/move.post.properties./WEB-INF/classes/alfresco/domain/hibernate-cfg.properties./WEB-INF/classes/alfresco/repository.properties./WEB-INF/classes/alfresco/subsystems/email/OutboundSMTP/outboundSMTP.properties./WEB-INF/classes/alfresco/subsystems/thirdparty/default/swf-transform.properties./WEB-INF/classes/alfresco/subsystems/thirdparty/default/imagemagick-transform.properties./WEB-INF/classes/alfresco/subsystems/fileServers/default/file-servers.properties./WEB-INF/classes/alfresco/subsystems/Synchronization/default/default-synchronization.properties./WEB-INF/classes/alfresco/subsystems/Search/solr/solr-search.properties./WEB-INF/classes/alfresco/subsystems/Search/solr/solr-backup.properties./WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/ldap-ad-authentication.properties./WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties./WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication.properties./WEB-INF/classes/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication.properties./WEB-INF/classes/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties./WEB-INF/classes/alfresco/subsystems/OOoDirect/default/openoffice-transform.properties./WEB-INF/classes/alfresco/version.properties./WEB-INF/classes/log4j.properties

Of those, localization files are not important (the ones ending in _[a-z][a-z].properties). If you uncomment a line containing less then the script will compare each file and show you difference in less. Based on that, I factored out the following configuration files that were changed:

./WEB-INF/classes/alfresco/repository.properties
./WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties
./WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-authentication.properties
./WEB-INF/classes/log4j.properties

I also found that I didn't change mail configuration data in the file:

./WEB-INF/classes/alfresco/subsystems/email/OutboundSMTP/outboundSMTP.properties

The next step was to find what changes are due to local configuration, and which ones are due to the changes in upstream. Namely, I'll take old configuration files but the changes in the new version have to be propagated. It turned out that repository.properties doesn't have any changes, while the other three have. So, I started to change files in the new version of Alfresco, that I unpacked. Finally, when all the changes are done, create new archive:

cd ..
mv alfresco.war alfresco.war.OLD
cd alfresco
zip -9rv ../alfresco .
cd ..
mv alfresco.zip alfresco.war

The first two commands rename old archive, next two create a new archive, and the final command changes name to have extension WAR. I assumed here that you unpacked original WAR archive into directory called alfresco.

All this has to be done with share.war archive too. In my case, the script showed that only log4j.properties has been changed so I incorporated changes and created a modified share.war archive.

Update

Finally, I stopped tomcat, and alfresco using:

service tomcat6 stop

created a copy of existing alfresco and share directories in tomcat's webapp directory. I also renamed old alfresco.war and share.war, and moved the ones I prepared in their place. Take care about permissions, tomcat has to be owner of everything! Then, I started tomcat with:

service tomcat6 start

and also started to pray that it works. Well, almost, I watched logs (/var/log/tomcat6/catalina.out) because I doubt that praying would help. ;)

Everything was OK, i.e. errors that I received (openoffice, pdf2swf) were expected because I didn't inistalled them. But, two errors were not expected:

java.io.FileNotFoundException: alfresco.log (Permission denied)

well, that one was cause by share.war not being able to reopen log file already being used by alfresco.war. So, I changed in appropriate log4j.properties that it uses its own separate log file. Except that it turned that I forgot to change log4j.properties. Anyway, I gave separate log to share.war just to be on a safe side and to finish this finally. The second error was:

java.net.BindException: Permission denied

That one was caused by FTP server not being able to bind to a low numbered port. This is OK, because I'm not running tomcat as a root. So, I'm safe to ignore it.

Tuesday, January 1, 2013

Fedora 18 installation

The first day of 2013. I switched to a new laptop, Lenovo W530, and Fedora 18. In this post I'll document what works and what doesn't work. Note that because of that this will be live post. Basically, this post originates from somewhere around Fedora 16 time and I never got it into the state I thought it was good enough to be published. But, then, I realized that it will never be finished, so I decided to turn it to published post. Note that I reworked this post to be exclusively about Fedora 18 on Lenovo W530. At the time this installation was performed Fedora 18 was still in beta stage, so, things might differ after Fedora 18 final is released. I decided to publish this post in unfinished state and to use it to document the progress I'm having with transition to a new laptop.

As usual, there are other resources on the Internet about Linux on W530, and here are some more interesting I managed to find:

Also, there are some pages with information (somewhat) relevant to this combination (Fedora 18 and W530):

Hardware

I bought the W530 with 1T internal disk and 8GB RAM. And this was pretty good deal for this laptop. Additionally, on eBay I bought 512GB SSD disk and 32GB of RAM (4x8GB). The monitor has resolution of 1920x1600 and NVidia Card. The resolution was one of the things I wasn't particularly happy with the previous laptop, which has 1600x1080.

Installation and first boot

I decided to use PXEBOOT to boot the machine and then to install it over the network. It turned out that I had some problems with DHCP on my work network. Additionally, I had problems with Fedora's new installer which cause many errors during disk partitioning time. Everything boiled down to BTRFS selection being completely broken. LVM was much better, but it also had some quirks (like embedding host name in logical volume names). This host embedding was removed later. It should be noted that this was constantly worked on so if I tried the same thing some other day, it could work. But, I didn't want to wait for some other day and in the end, I decided to mirror Fedora 18 development repository on my previous laptop and then to install it from there. The setup was basically the following one: old and new laptops connected with crossover Ethernet cable, and the old laptop was connected to the Internet with wireless Ethernet. On old laptop I mirrored the whole Fedora 18 directory tree. I also configured DHCP/TFTP and Apache to be able to do installation. I won't go into details how to do that because there is a manual on Fedora pages which is quite good.

First boot

First boot is as usual except one tiny annoyance. Namely, for my UID and GID I use a specific values for a long time and first boot configuration screen doesn't allow me to proceed without defining new user while in the same time it

Customizations

Customization consists of tweaks to the system and adding external repositories in order for me to be able to install mplayer and similar software not distributed within Fedora, at least not in a usable way.

System customizations

One thing I change is the following line in the /etc/nsswitch.conf file:

hosts: files mdns4_minimal [NOTFOUND=return] dns

to be

hosts: files dns

The reason is that in some local networks I'm using .local domain suffix and by default such names are resolved using mDNS (mdns4_minimal option). Since I'm using regular DNS for those names too, then they are unresolvable unless I make this change.

RPM Fusion

RPM Fusion has some packages that are not shipped with Fedora. For example, different audio and video codecs are not in Fedora due to the patent or some other issues. In that case you need RPM Fusion. RPMFusion supports different versions of Fedora, you can find a list here. You have to select one free and one non-free repository, copy link and paste it to the terminal as an argument to 'rpm -i' command, or 'yum localinstall' command. This will add necessary yum configuration files. Now, you can install, for example, mplayer and vlc:

yum install mplayer vlc

There are other interesting packages, but I'll let you explore those for yourself.

Adobe Flash and Acroread

YouTube works without Flash thanks to the HTML5 support in Firefox. But, not all videos on YouTube can work in HTML5 and also, there are sites on the Internet that can not live without Flash, so it has to be installed too.

On the download page there is an option to retrieve YUM configuration files. So, chose YUM and then you'll be offered to download file, about 4K in size. After you download it somewhere to your disk, install it using 'yum localinstall' command. Now, you can install flash using the following command:

yum install flash-plugin

As for Acrobat Reader, you have to download rpm file and install it "manually". But, I think that it isn't so necessary because Evince works very well. There are sporadic cases when Evince has problems, mainly due to the fonts, but otherwise it's very good replacement.

Google Chrome

To install Google Chrome you'll need first to install Google Chrome manually and then it'll add Google Chrome repositories. But, you can skip "manual" installation, i.e. add yum repository and install Chrome using yum. To do so create file /etc/yum.repos.d/google-chrome.repo and copy the following content into that file:

[google-chrome]
name=google-chrome
baseurl=http://dl.google.com/linux/chrome/rpm/stable/x86_64
enabled=1
gpgcheck=1

Additionally, you have to install Google's signing key (or set gpgcheck in yum configuration file to 0, which is not advisable). Anyway, use the following two commands to import Google's rpm signing key:

wget https://dl-ssl.google.com/linux/linux_signing_key.pub
rpm --import linux_signing_key.pub

Now, just run yum install google-chrome-beta.x86_64, or google-chrome-stable.x86_64 or google-chrome-unstable.x86_64; depending on which version you want to run. Note that there are some other packages in the Google's Chrome repository. Use 'yum list google\*' command to get a list of those.

Virtualization

Fedora has a lot of virtualization options to choose from.

VirtualBox is part of RPMFusion free repository. So, you don't need to add anything extra to be able to install it, just run:

yum install VirtualBox

and that's it. Alternatively, you might want to install "official" Oracle's version. Oracle has yum repositories for Fedora (though not for Fedora 18 at the time this post was written) which you can find here, along with instructions on how to install those repositories.

In case you are using VMWare Workstation, you'll have to download it from the VMWare's Web pages. I downloaded 64-bit trial version of VMWare 9.0.1 and installed it. It works, even though during installation process it created a file named ~ (tilde). It had exactly 1K, but I don't know what it is. Could be some problem in the installation script. Apart from that, seems that VMWare works without any problems.

Note that on January 6th, kernel was updated to version 3.7.1 (to be precise 3.7.1-2). VMWare, as of 9.0.1, isn't compatible with that version of kernel and it doesn't work! But, the solution is simple and easy to find on a net, execute the following commands (as root) and everything should work again:

cd /usr/src/kernels/3.7.1-2.fc18.x86_64/include/linux
ln -sf /usr/src/kernels/3.7.1-2.fc18.x86_64/include/generated/uapi/linux/version.h .

That are two lines,but ln command is broken on a dash sign so when copying it join the two parts together without any spaces in between. Also, if the kernel version is different just change appropriate substrings.

In case you have version 3.7.1-5 then version.h is removed and when you start VMWare Workstation it says it needs to rebuild drivers and after you confirm that then it complains that there are no kernel headers. To fix this problem, execute the following two lines:

cd /usr/src/kernels/3.7.1-5.fc18.x86_64/include/linuxln -sf /usr/src/kernels/3.7.1-5.fc18.x86_64/include/generated/uapi/linux/version.h .

Removing unnecessary software

This is something I did very thoroughly before, but as the time passes I do it less and less. The disk space these days is very cheap and there is a plenty of it, also inter dependencies between packages are complex, so these days I do only few adjustments.

Removing Asian and Arabic fonts

I decided to remove those simply because it annoys me to have such a large number of options in dialogs where I need to select font to use, many of which I simply don't understand! So, I removed the packages that start with paktype and lohit using yum (i.e. issue yum remove paktype\*, lohit\*), wqy-zenhei-fonts, thai-scalable-waree-fonts, cjkuni-uming-fonts, jomolhari-fonts, vlgothic-fonts vlgothic-fonts-common un-core-dotum-fonts smc-meera-fonts sil-padauk-fonts sil-abyssinica-fonts paratype-pt-sans-fonts lklug-fonts khmeros-base-fonts.

UI Tweaks

I installed gnome-tweak-tool, gcond-editor and dconf-editor packages to be able to tweak UI. Basically, a lot of things can be done from the Gnome's Tweak tool. But many can not. For example, modal windows by default are attached to a windows that opened them, like it is done on MacOS X. But, I prefer them to be detached so that I can move them and access content behind them. So, to change this behavior you should set /desktop/gnome/shell/windows/attach_modal_dialogs to true, e.g. like this (note that this should be a single line):

gconftool-2 --toggle /desktop/gnome/shell/windows/attach_modal_dialogs

This will toggle the value, if it was true it will become false and vice versa. To query current state use the following form:

gconftool-2 --get /desktop/gnome/shell/windows/attach_modal_dialogs

If you want to disable Fedora package search in Gnome, there is a boolean key that controls that: org.fedoraproject.fedorapackages.search. Also, when you install Fedora fedmsg is enabled by default. You can disable it by toggling its key org.fedoraproject.fedmsg.notify.enabled.
For the last two keys you should use dconf, not gconf. Also note that I had some problems using command line client (probably my fault), so I suggest you use editor to inspect and change those values.

Successes and Problems

Failed login problem

For some unknown reason I'm unable to login in GNOME if SELinux is enabled. So, when I boot machine I have to first switch to some virtual console, login there as a root and issue 'setenforce 0'. I could do that accross boots (by modifying /etc/sysconfig/selinux file) but I want SELinux to be enabled so I'm waiting for this issue to be fixed.

Audio problem

I had problems trying to play audio. Can't remember if that was the problem from the beginning or only after some update I did. Anyway, it turns out the problem is with permissions. Namely, I, as an ordinary user, don't have permission to access devices and so PulseAudio is using dummy device. I searched a bit, but couldn't find. Temporary fix is to switch to root user and change ownership of /dev/snd directory to my username (chown -R username /dev/snd). Basically, PulseAudio immediatelly notices this and activates sound.

Video problems

Because of permissions I also had problems with gnome-shell and video. Namely, gnome-shell was taking 400% CPU (well, 4 CPUs actually) but the problem was that it was doing software rendering. Running gnome-shell from the command line I got the following error:

libGL error: failed to load driver: i965
libGL error: Try again with LIBGL_DEBUG=verbose for more details.

Two things confused me here. First, is X11 using NVidia or Intel? And second, why it was failing? So, I rerun gnome-shell with LIBGL_DEBUG set to verbose (and exported) and it was a bit more informative:

libGL: OpenDriver: trying /usr/lib64/dri/i965_dri.so
libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: i965
libGL: OpenDriver: trying /usr/lib64/dri/swrast_dri.so
libGL: Can't open configuration file /home/sgros/.drirc: No such file or directory.
libGL: Can't open configuration file /home/sgros/.drirc: No such file or directory.

When I saw permission errors I immediately knew that this was the same bug as for audio. So, I did again chown -R username /dev/dri and restarted gnome-shell. Now, gnome-shell wasn't even on the process list.

As for the question Intel or NVidia, glxinfo shows that it is using Intel. When I rebooted and looked into BIOS settings it turned out that NVIDIA Optimus dispaly setting was selected. What that setting does is that it activates both cards, but Intel is used by default and NVidia only when requested. To be able to use such configuration you'll need to install Bumblebee program.

Conclusion

As of this writing, to have working GNOME and to be able to login, after boot finishes and GDM presents you with a login screen you should switch to second virtual console (Alt+F2), login as root and execute the following commands:

setenforce 0
chown username /dev/dri /dev/snd

This isn't necessary any more, at least not on fully patched Fedora 18 as of March 4th.

Other notes

After working on W510 for two years I have to say that I'll need for some things time to get used to. First, keyboard is a bit different. Esc key is much smaller, PgUp and PgDn are with arrow keys instead in top left part of the keyboard. Actually, I'll have to get used to the placement of all the other navigation keys as well.

Also interesting is that there is no Caps Lock keyboard indicator, also, there are no Num Lock and Scroll Lock keys. It is problematic when you turn on Caps Lock without knowing it and suddenly things don't work and you don't know why until you realize that the problem is in Caps Lock. I think there should be led indicator on the keyboard, but since there isn't I found gnome shell extension that adds indicator to the panel. Since I don't have Num Lock I turned out its indication.

Thursday, November 8, 2012

Installing certificate for Alfresco...

This post is continuation of the post about installing Alfresco using native Tomcat6 installation (on CentOS6). If you followed steps given in that post, you have running Alfresco installation but Tomcat uses self-signed certificate.

To install your own certificate first obtain it (you can use your own, self managed, CA or you can buy commercial one), then install it on your Tomcat instance. You'll find a lot of information about this in SSL Howto on Tomcat's Web pages, but that page assumes that everything you do, you are doing using keytool.

Here is a quick Howto with an assumption that you have files newcert.pem (containing certificate), newkey.pem (containing private key) and cacert.pem (your CA certificate). By default, tomcat's keystore is in its home (/usr/share/tomcat6) and it is named .keystore. Keystore file is password protected and default password for it is changeit. Note that the period isn't part of password! I suggest that you copy this file to root's home under the name keystore (note no leading dot!) or whatever else you wish so that you can restore old copy in case something goes wrong with the following steps.

The installation is two step process. First, you create keystore containing you certificate, private key and CA's certificate. In second step, you import that information to Tomcat's keystore.

First step is to pack certificate for Alfresco, its private key and CA's certificate into PKCS12 store using openssl tool as follows:

$ openssl pkcs12 -export \
-in newcert.pem -inkey newkey.pem \
-out mycert.p12 -name tomcat \
-CAfile cacert.pem -caname root -chain
Enter Export Password:
Verifying - Enter Export Password:

This command assumes that all necessary files (newcert.pem, newkey.pem and cacert.pem) are in you current directory. Output of the command is also stored into current directory. Note that you are asked for password that will protect all the data. Enter something or later you'll see the following warning:

***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************

And then you'll receive the following error:

keytool error: java.security.UnrecoverableKeyException: Get Key failed: / by zero

Second step is to import this pkcs12 file to tomcat's keystore using keytool as follows:

$ keytool -importkeystore -srckeystore mycert.p12 \
-srcstoretype pkcs12 -destkeystore /usr/share/tomcat6/.keystore
Enter destination keystore password:
Enter source keystore password:
Existing entry alias tomcat exists, overwrite? [no]: yes
Entry for alias tomcat successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Again, input file is in the current directory and you are importing directly into tomcat's keystore. Note that the existing certificate with the alias tomcat will be removed and you are asked to confirm that! The default alias Tomcat searches when it start is called tomcat.

Third step is to change private key's password that has to be the same as for the keystore. Do that using the following command:

keytool -keypasswd -alias tomcat -new <keypassword> -keystore /usr/share/tomcat6/.keystore

You'll be asked for the keystore's password and the password for the key will be set to keypassword.

And that's it. Restart tomcat and check if it is using new certificate.

Thursday, June 28, 2012

Installing Alfresco Community Edition on minimal CentOS...

In this post I'm going to describe how to install Alfresco Community Edition 4.0d starting with a minimal CentOS 6 installation. This will be a two part post after which I'm going to describe how to integrate Alfresco with FreeIPA for authentication and authorization purposes. The goal of the installation is to use as much as possible software available in CentOS. The reason for doing so is that update process is easier, i.e. you only have to do yum update instead of manually downloading and installing updated software.

Environment and Configuration Parameters

I assume that you have CentOS installation ready. If not, then install it, and if you need some info on how to do it, look at this post. Furthermore, I assume that Alfresco should reside within Intranet, i.e. local network. The reason is that there is no need for Alfresco to be accessible from the Internet and thus it doesn't have to be in DMZ. I'll assign IP address 172.16.1.3 to this host. The FQDN of the host will be alfresco.example-domain.local. Now, if you have working DNS you should put this name into DNS, but it's not necessary, i.e. you can put it into /etc/hosts file of any host that will access Alfresco (including Alfresco itself) and that will do for now.

Alfresco needs a relational database. I'm going to use MySQL database. Furhtermore, I'll assume that this database is on the same host as Alfresco. This will allow me to restrict access to database. Unfortunately, standard JDBC driver for MySQL doesn't support access to database via Unix socket, so database has to be accessible via network stack. I'm going to restrict it to loopback interface.

Note that I started with the following state of disk usage:

# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 7,0G 944M 5,7G 15% /

Prerequisite software installation

As for the prerequsite software you have to install the following packages (all of them shipped with CentOS):

java-1.6.0-openjdk - unless you explicitly specify which java you want to be installed, gcc's version will be used and that one won't work with Alfresco.
tomcat6 - servlet container that will run Alfresco. It is mandatory to install this package. This, along with dependencies, will be 129M to download and will take about 382M disk space.
mysql-server - this is a package that holds server part of MySQL database.
mysql-connector-java - JDBC connector that will allow Alfresco to access MySQL database.
unzip - so that you can unpack Alfresco archive (which is distributed as a zip file)

So, install it using yum. This will download 168M which will expand into 503M. Afterwards, this is the state of disk usage:

# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 7,0G 1,6G 5,1G 24% /

Configure MySQL database

We also have to prepare MySQL database, i.e. you have to do the following steps:

Configure database to use UTF-8 by default.
Configure it to listen only on loopback interface.
Start database and set root password.
Create alfresco database.
Create alfresco user and assign it a password.
Configure system to start MySQL database during the boot process.

The first two steps are done by editing /etc/my.cnf file. Integrate the following lines with the already existing content (i.e. to existing sections add missing lines, if the section doesn't exist in my.cnf file add it along with all its lines):

[client]
default-character-set=utf8

[mysql]
default-character-set=utf8

[mysqld]
bind-address=127.0.0.1
character-set-server = utf8
collation-server = utf8_unicode_ci
init-connect='SET NAMES utf8'
character-set-server = utf8

Note that MySQL has to listen on loopback because JDBC doesn't allow connection via Unix socket, at least not without tweaks to Alfresco code itself.

Step 3 (i.e. set root password) is done by starting MySQL server and then setting password:

/etc/init.d/mysqld start
/usr/bin/mysqladmin -u root password 'new-password'

String 'new-password' replace with your password (and keep quotes, they prevent shell from interpreting any special character in password you might have!). You should be careful with this password as it is very critical peace of information!

Step 4 and 5 (create alfresco database and user) are done using mysql tool. So, first start this tool:

# mysql -u root -p
Enter password: <type here root password>
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.61 Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

and now create database:

mysql> create database alfresco;
Query OK, 1 row affected (0.00 sec)

and grant alfresco user all permissions on the database:

mysql> grant all privileges on alfresco.* to alfresco@localhost identified by 'PASSWORD';
Query OK, 0 rows affected (0.00 sec)

The word PASSWORD should be replaced with a password. Again, this one is critical since all the data will be accessible if someone gets hold on that password. And, while you are at that, remove test database as it is not necessary and might even present security threat:

mysql> drop database test;
Query OK, 0 rows affected (0.00 sec)

That's it as far as mysql client is concerned. So, leave it using exit keyword.

Finally, we should configure system to start MySQL database on each boot. This is easily done with:

chkconfig mysqld on

OK, so much about database. One more thing before going to Alfresco installation. You have to configure tomcat so that it loads MySQL connector when starting, otherwise Alfresco won't be able to connect to database! To to that, open file /etc/tomcat6/catalina.properties and search for line "shared.loader=". Add to that line string /usr/share/java/mysql-connector-java.jar, i.e. it shoud look now like this:

shared.loader=/usr/share/java/mysql-connector-java.jar

Save the file and exit and that's it. Now on to Alfresco itself.

Alfresco Installation

First, go to Alfresco download site and download Community edition, i.e. download file alfresco-community-4.0.d.zip. Then, unpack it (using unzip tool) into a temporary directory:

mkdir tmp

cd tmp

unzip ../alfresco-community-4.0.d.zip
<unzip progress output>

You'll have now few new directories. From directory web-server/webapps move files alfresco.war and share.war into tomcat webapps directory, i.e. into /var/lib/tomcat6/webapps. From now on, I'm going to reference that directory as $WEBAPPS, to shorten a bit typing. Now, start wait a minute and then stop tomcat server. This is so that it unpacks alfresco and share war archives:

/etc/init.d/tomcat6 start
/etc/init.d/tomcat6 stop

In case you receive ERROR message trying to stop tomcat, wait a bit more and then try again. Namely, until tomcat finishes initialization you can not stop it.

Note also that tomcat writes its logs into /var/log/tomcat6. You should monitor that directory when starting tomcat. More specifically, watch catalina.out file. Furthermore, the tip, I remove all log files before starting tomcat again so that it doesn't clutter new log messages with the old ones. Of course, I'm doing that only during installation phase. Later, it is very good idea to keep the logs around!

Go now into directory $WEBAPPS/alfresco/WEB-INF/classes. There, you'll see file alfresco-global.properties.sample. Copy this file into alfresco-global.properties and change permissions to a more restrictive values:

cp alfresco-global.properties.sample alfresco-global.properties
chmod 600 alfresco-global.properties

and open it in editor. In there do the following:

Immediately at the beginning uncomment lines dir.root and dir.keystore. Set dir.root to a directory where Alfresco will store data. I used /var/lib/alf_data (which of course, should be created manually!) but any value with enough storage will do. Also, change the owner of that directory to tomcat and restrict access permissions so that only user tomcat can enter into that directory (use permissions 700). dir.keystore should be set to $WEBAPPS/alfresco/WEB-INF/classes/alfresco/keystore.
Uncomment lines db.username and db.password and set correct value for password (username is alfresco so that shouldn't be necessary to change). This password in plain text is the reason you had to change permissions of the file.
Find MySQL section, and in particular lines there db.driver and db.url and uncomment them. Change the value of db.driver to com.mysql.jdbc.Driver.

Now, open file log4j.properties that is in the same directory as the previous file, i.e. $WEBAPPS/alfresco/WEB-INF/classes. Find there the following line:

log4j.appender.File.File=alfresco.log

And change it to:

log4j.appender.File.File=/var/log/tomcat6/alfresco.log

This line specifies where Alfresco will do its logging. The obvious place is the same directory where tomcat places its logs. Do the same change in file $WEBAPPS/share/WEB-INF/classes/log4j.properties.

Now, start tomcat again and try to open the following URL in a Web browser: http://alfresco.example-domain.com:8080/alfresco. After a bit of wait you should be presented with a guest Alfresco home page. You can then logout and login as admin (U: admin/P: admin). Note that if you can not connect, the reason is firewall on Alfresco server. Temporarily turn off the firewall with:

/etc/init.d/iptables stop

and then try again.

Don't forget to configure system so that tomcat is started after each reboot. Anyway, this is the first part of the installation. There are some more tweaks you should do that I'm going to describe in the following post. For the end of this post let me show the disk usage:

# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 7,0G 2,1G 4,6G 31% /

Snort with MySQL support on 64-bit CentOS 6...

In one of the previous posts I wrote about compiling Snort 2.9.2.1 on 64-bit CentOS. The newest stable version of Snort now is 2.9.2.3 and I'll use that version from now on. But, the old post is still valid for compiling that new one, so there is no need for another post.

But, there is a problem. If you tried to build Snort package with MySQL support like this:

rpmbuild --rebuild --with mysql snort-2.9.2.3-1.src.rpm

then you certainly got the following message:

<some unrelated configure script output>

checking for mysql...

**********************************************
ERROR: unable to find mysqlclient library (libmysqlclient.*)
checked in the following places
        /usr
        /usr/lib
        /usr/mysql
        /usr/mysql/lib
        /usr/lib/mysql
        /usr/local
        /usr/local/lib
        /usr/local/mysql
        /usr/local/mysql/lib
        /usr/local/lib/mysql
**********************************************

error: Bad exit status from /var/tmp/rpm-tmp.R2KI5J (%build)

RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.R2KI5J (%build)

Well, the problem is that on 64-bit CentOS (and RHEL derivatives, including Fedora) 64-bit libraries are in /lib64 and /usr/lib64 directories. The easiest way to circumvent that problem is to do the following.

First, install SRPMS file so that it is unpacked:

rpm -ivh snort-2.9.2.3-1.src.rpm

Then, go to ~/rpmbuild/SPEC directory, and open file snort.spec in some text editor. Search for the following block:

   if [ "$1" = "mysql" ]; then
        ./configure $SNORT_BASE_CONFIG \
        --with-mysql \
        --without-postgresql \
        --without-oracle \
        --without-odbc \
        %{?EnableFlexresp} %{?EnableFlexresp2} \
        %{?EnableInline}
   fi

It's somewhere around line 231. Modify it to include line --with-mysql-libraries=/usr/lib64, i.e. it should now look like follows:

    if [ "$1" = "mysql" ]; then
        ./configure $SNORT_BASE_CONFIG \
        --with-mysql \
        --with-mysql-libraries=/usr/lib64 \
        --without-postgresql \
        --without-oracle \
        --without-odbc \
        %{?EnableFlexresp} %{?EnableFlexresp2} \
        %{?EnableInline}
   fi

Save and close file. Then, start snort build using the following command:

rpmbuild -bb --with mysql snort-2.9.2.3-1.src.rpm

And that should be it...

Friday, October 28, 2011

Installing minimal CentOS 6.0 distribution

This post starts a three part series in which I'll describe in detail how to install Zimbra Open Source mail server on 64-bit CentOS distribution. The first part deals with CentOS installation itself. The second part talks about setting up split DNS server, and finally, the third part will talk about setting up Zimbra server itself.

Before describing installation, I'm going to define the environment, and some basic parameters, in which this server is going to be deployed. Note that you can implement this network topology using VMWare or some similar product and in that way you can test that everything is working before doing actual installation.

So, the network topology I'm going to assume is given in the following figure:

Network topology for Zimbra Mail server

What you can see in this figure is a future Zimbra server (on the right) with the IP address 10.0.0.2/24. This is the server I'm going to describe how to install. We'll also assume domain example-domain.com. For the moment no additional parameters are needed, and in later post I'll introduce all the necessary parameters on an as needed base.

Preinstallation considerations

When I perform CentOS installation I usually do minimal install because in that way I'm getting more secure system. Then, as need arises, I add additional packages. Sometimes it happens that even minimal installation (as defined by CentOS installer) has some packages I don't need and so I remove them. But this state changes from release to release. For example, at one time minimal installation included isdn4k-tools which I didn't need as I was connecting my servers to Ethernet LAN. Apart from security concerns for such behavior, there used to be additional reason to make minimal installation. Namely, to save disk space. But because of the abundance of available disks space today, that reason is not valid any more, at least not for the majority of cases.

Performing base system installation is in principle very easy. The potential problem is that you need to anticipate some parameters, three of which we are going to discuss in some detail. Those are file systems (and disks), network configuration and 32 or 64-bit installation.

For file systems the following details have to be considered: partitions sizes, use of logical volume management and RAID. There is also question of exact file system type to use, but I won't discuss that one here. ext4 suffices in majority of cases.

When we talk about sizes of different directories, specially problematic ones in general could be /var and /home. But also, for example, /opt, or any other directory with application data and/or logs. Directories like /etc, /usr, /lib, and some others are in general constant in size during the system's deployment. What I would suggest is that you start with a minimum disk space required and when some of the aforementioned partitions has to have more space, you just create new partition, move content of the directory this partition will replace, and finally mount the partition. Additionally, the application you intend to install could significantly influence how your partitions are laid out. In any case, I don't allow installer to do manual partitioning by itself.

I try to avoid logical volume management if I can, if nothing else, just to remove one additional layer of complexity. But, in certain scenarios you'll have no choice but to use it, unless of course you want to have some nightmares later. When, for example, you are installing a production system that is going to be used for a long time and there will be a large quantity of data (but you are uncertain how much exactly), in that case I would suggest that you use logical volume management. So, we have two extremes, on one side there is a static system that wouldn't grow much in size with a simple file layout, and on the other side there is heavily loaded server with lots of recorded data and/or very complex file system layout. Note that for small systems, maybe medium ones too, where you can have few hours of downtime any decision you made can later be changed. For example, you start without LVM, and then decide that you need to implement it so you add LVM partition under a single directory only, or you change everything apart from the boot partition. It is relatively easy to do so and I'll describe that process in some future post.

Finally, there is also question about the use of RAID, should you use it or not. There are several different possibilities:

You are installing system on a local disk subsystem, with or without hardware RAID support.
You are using remote disk storage.
Installation is performed within virtualized environment (e.g. VMware, Citrix Xen, KVM)

In case you are using virtualized environment then you don't have to use RAID, actually, it is an overkill. The assumption is that the host itself has RAID to protect all the hosted virtual machines. Still, there is one exemption, and that is a production server running within ESXi. In case you are using ESXi with local storage and you don't have hardware RAID, then you have to implement RAID in virtual machine. But I suppose that this case will be rare as it signals that you are using some poor hardware for production environment. Nevertheless, it is possible to do so, and maybe I'll describe that scenario in some future post too.

Next, if you are installing test server or something not particularity important, RAID is definitely an overkill. And finally, if you are using remote storage, then also it is not necessary to use RAID because remote storage takes care of that (or at least it should).

This leaves us with the scenario of using local storage, installing an important server and a question should we use software and hardware RAID (if there is no hardware RAID, there is obviously no dilemma). I personally prefer software RAID for a simple reason that I'm allowed to access individual disks using smartctl tool to monitor their health status. This is also a better solution for a number of low cost RAID solutions because those are, in essence, software RAIDs. Still, when you have some high end hardware that has very good hardware RAID and/or you need high performance then your route to go is definitely hardware RAID.

So, the last thing to consider is how to combine software RAID and LVM? I personally prefer using md RAID, and on top of that I install LVM.

While we are at disks we have to also consider swap partition size too. I doubt that more than few gigs of swap is of any use. It used to be a rule to have twice as much of swap as you have RAM. But in case you have 64G of RAM, to have 128G of swap is exaggeration. I usually put 2G, maybe 4G at most. Simply, this can be considered as a space for dormant applications. But if you have so many dormant applications that they fill so much of a swap, then you should probably tune your applications. And yes, if swap is used as a short term space for applications (i.e. they are swapped out, and then shortly after that swapped in) that is also not good as it severely impacts the performance of a server. Finally, RAM is cheap, buy more RAM, not larger disk.

Second consideration, after file systems, we also have to consider network. Basically, there are only two options: dynamic or static addresses. That choice is relatively easy. If you are installing some sort of a server, machine that will be accessed by another machines/people, than it's better to assign static IP address. With dynamic address it could happen that DHCP server is unreachable for some reason and that server loses its IP address and stops functioning. On the other hand, if you are installing workstation, that is, a machine that will access other machines, then better option in majority of cases is to use dynamic assignment of addresses, i.e. DHCP. It brings some flexibility into the system, with a price in lower security (which also can be adequately solved).

Finally, the third consideration is whether to install 32 or 64 bit system. I strongly suggest that you install 64 bit system. Only in case you are running some application that requires 32 bit operating system and it is only supported on 32 bit operating system, you should use 32-bit system. In all other cases, as I said, use 64 bit. Here I implicitly assume that the hardware you use is 64 bit. If it is not, then that's also the case when you'll use 32-bit operating system. Note that it is possible to run 32-bit application on a 64-bit operating system! That is, it is not mandatory to install 32-bit installation to use 32 bit applications!

So, that's all about preinstallation considerations. Let us proceed to base system installation.

Installing base system

After all the preinstallation considerations, I'll assume that we are going to install 64-bit system in a virtualized environment and that we don't expect this system to grow much in terms of the installed size and recorded data. So, I won't use RAID and neither I'm going to use LVM. Furthermore, it's definitely a server, so we'll use static IP address. Also, we'll assume that you have 8G of RAM in server, and we'll also allocate 2G of swap and 4G for a single root partition (no special /var, /home, etc.). Actually, minimal installation takes about 600MB, but this will grow for about 200M after first update. So, you have to have at least 1G for base system install.

Start by putting CD and booting the machine (or attaching ISO image and starting virtual machine).

After the installation starts, it asks you the following series of questions:

Should the installer check CD/DVD? In case you are using ISO image there is certainly no need to do that. If you are using real DVD media, then decide for yourself. I usually skip this step. After this question, graphical installation starts. Note that if you don't have enough RAM, you'll be forced into text based installation which has severely restricted number of options, e.g. you can not manually partition hard disk! Take a look into this post in case you did installation in text mode and want to switch to RAID.
After you select Next you are first asked for language to be used during installation as well as for keyboard layout. The two are used only during the installation process. Select the ones that suite you, and select Next.
Storage types used for installation. There are two options: Basic Storage Devices and Specialized Storage Devices. The first one you use when you are performing installation on local disks, while the second one is for a shared storage. Just select Basic Storage Devices.
Then, if this is a new computer, or a new disk, you are presented with a warning that disk(s) need to be reinitialized. Select button 'Re-initalize all'.
You are asked to provide computer name. Enter here mail.example-domain.com. Then, click on button Configure Network. A new dialog will open.
In the newly opened dialog select tab Wired (if it isn't already selected) and in there select option 'Auto eth0' and click on the button Edit. New dialog will open.
It is not necessary, but I change the name to be only eth0. Then, I select checkbox Connect automatically. This is mandatory because otherwise your server will be unavailable until someone logs into it and connects it to network. This isn't something you want. :)
Clik on the tab IPv4 Settings. You'll see under Method option Automatic (DHCP). Change that into Manual and click on Add button. Then, add the address 10.0.0.2, change network mask to 24 (you'll be automatically offered 8) and enter gateway 10.0.0.1. Also, enter the IP address of public DNS server you are using until we configure our own DNS server. Finally, click Apply. Click Close to close network connections editor.
Select the zone you are in and click Next.
Next, you have to enter root password. Note that this is a vary important password so you should pick a strong one, or be certain in what you are doing! Anyway, after entering root password (twice) click Next. If you entered a weak password you'll be warned about it. Decide for yourself what you'll do, ignore it or change it to better one. In any case, eventually you'll proceed to next step.
Now we came to partitioning step. Select Create Custom Layout and then Next. You'll be transferred to disk editor. In disk editor create swap partition (2G) and root (6G) partition. Both are standard partition so when asked about partition type (after clicking Create button) just confirm default value (i.e. Standard Partition). When you click Next, you'll be asked if you are certain that changes should be written to a disk. To confirm, press button Write Changes to Disk.
When asked about grub loader, just select Next.
Now you are presented with a screen to select package selection to be installed. Select Minimal and then Next.

Installation now starts so you should wait. Because it is minimal install it is finished quite soon. When all the packages are installed press Reboot. At this moment, on CentOS 6.2 the disk usage is:

# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 7,4G 759M 6,3G 11% /

As a final step of a base system installation you should do update. But, in order to do so you'll have to add additional repository that isn't include by default, see some details here. In short, you should run the following command as a root (this is one line, but it could be broken because of formatting in your browser!):

~~rpm -ivh ftp://ftp.funet.fi/pub/mirrors/centos.org/6/cr/i386/RPMS/centos-release-cr-6-0.el6.centos.i686.rpm~~

~~After that command successfully finishes, run the following command to pick up all the updates:~~

This additional repository isn't used any more, as far as I know. So just use the following command to update installation:

yum update

When asked, confirm update. You'll also be asked to import CentOS signing key into RPM database. Check that this is a valid key, and confirm import process. That's all, base system is installed! Don't forget to reboot machine after upgrade since probably many important packages replaced with newer versions and to activate them in already running processes you should reboot machine.

After update finished my disk usage was:

# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 7,4G 986M 6,1G 14% /

But the exact values heavily depend on number of updates, so take this only as a rough guideline.

Adding some useful packages

As a final step of base system installation I'll list some additional packages you might want to install. I find them very useful for debugging problems and checking system's correctness. Those packages are:

tcpdump - this is the packet sniffer. If something is wrong with a network you'll use this tool to see what's going on (or not, depending on the problem :)).
strace - sometimes process behave oddly and in those cases you can use this tool to trace them to see what's going on. It's not exactly dtrace, but in many cases is very hapeful.
telnet - when some server is apparently listening on some port and you can not access it for whatever reason this simple telnet client can help you try to connect, and using tcpdump see what's going on. It will even allow you to interact with server, e.g. mail server to send test email message.
lsof - swiss army knife that allows many thing to be queried from processes. For example, which ports are opened by a process, of to which process particular port belongs. Then what files are opened, etc. Very usefull tool, indeed.
ntpdate - this is a network time protocol that allows you to synchronize you machine's time clock with some accurate time server (e.g. zg1.ntp.carnet.hr).
rsync - for more efficiently copying data from and to server.
openssh-clients - to allow rsync to work and also to allow you to connect to remote machines from this server.

All those packages can be installed using yum followed by the package name (the name in bold).

Saturday, October 1, 2011

Installing Snort 2.9.1 on 64-bit CentOS 6...

I just installed Snort 2.9.1 on CentOS 6, and since that wasn't straightforward process, I decided to document all the steps I did for a later reference. Also, maybe someone will find this useful so I placed it here.

The process of setting up Snort is divided into three phases, compilation, installation and configuration. Compilation phase is done entirely on auxiliary host, while installation and configuration phases are done on the target host, i.e. on the host where you wish to install snort.
Binary Snort packages from the download pages are all for 32 bit machines. Furthermore, SPEC file within provided SRPM has two bugs. The first one is that it wrongly links with libdnet.1 library that doesn't exist. I circumvented that problem as described below. The second problem is that not all pretprocessors are included into the final binary package. If you try to start snort and it fails with the following message in the log file:

FATAL ERROR: /etc/snort/snort.conf(463) Unknown preprocessor: "sip".

then this is manifestation of that problem. Apart from sip; imap, pop and reputation pretprocessors are also missing. I have fixed spec file, and made the new Snort SRPM package. If you trust me enough (but don't! :)), you can skip the compilation phase and obtain directly binary packages for daq and snort from my homepage. In that case, go to the installation phase and continue from there.

Compilation

As I said, the first problem with Snort is that on the download page there are no precompiled binaries for 64-bit versions of Linux distributions. Still there are SRPMS packages of Snort (extension src.rpm) and its prerequisite Daq so it isn't so bad. Download those packages, and rebuild them, first daq and then, after installing daq, snort itself. For rebuild process development environment is mandatory, i.e. compiler, development libraries, etc. Since probably you are going to run snort on firewall, or some machine close to firewall, it isn't good security practice to install development environment on target machine (i.e. firewall). So, find another machine with CentOS 6 and all the latest updates (or install one) and perform build process there. You'll need at minimum to have package rpm-build-4.8.0-16.el6.x86_64, afterwards, any missing package will be reported and you can install it using yum. So, install rpm-build package, and try to start build process (do this as ordinary user!):

rpmbuild --rebuild daq-0.6.1-1.src.rpm

If missing packages are reported then install them (as superuser) and try to start build process again. Note that libdnet you can find in EPEL repository. Repeat this until build process is successful. Binary package you'll find in the directory ~/rpmbuild/RPMS/x86_64/. Go there and install daq package:

yum localinstall --nogpgcheck daq-0.6.1-1.x86_64.rpm

Option nogpgcheck is necessary since we didn't sign binary package. Then, go back to directory where you downloaded daq and snort, and start snort build process:

rpmbuild --rebuild snort-2.9.1-1.src.rpm

This too can stop due to the missing packages, so install any required package and restart build process. Do this until build process is successful.
Now you have daq and snort packages ready in the build output directory ~/rpmbuild/RPMS/x86_64/. There are files daq-0.6.1-1.x86_64.rpm and snort-2.9.1-1.x86_64.rpm.

Installation

Transfer binary packages of snort and daq to the target machine and install them there:

yum localinstall --nogpgcheck daq-0.6.1-1.x86_64.rpm \
snort-2.9.1-1.x86_64.rpm

It could happen also that you'll need additional packages, but any dependencies will be automatically retrieved and installed by yum. So, that's for the installation phase.

~~Build process, for whatever reason, wrongly got dependency on libdnet library, it looks for libdnet.1 instead of libdnet.so.1. To check if this is problem in your case, just try to start snort:~~

~~# /etc/init.d/snortd start~~
~~Starting snort: /usr/sbin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory~~
~~[FAILED]~~

~~In case the output looks like that one, you have the problem with libdnet.1 too. To solve it, to the directory /usr/lib64 and run there the following command:~~

~~# ln -s libdnet.so.1 libdnet.1~~

~~This is actually a hack, since build process has a bug, but as I didn't want to look or modify build process, this was easier to do and I did it that way.~~

The error with library libdnet was caused by the manually installed libdnet in /usr/local/ which had name libdnet.1 for whatever reason and that was picked by configure script. In other words, if you compile snort manually you'll not have that problem, only if you used old binary that I provided (now that is fixed!).

You'll also need to obtain snort rules and that requires you to register on Snort Web page. After registering, and downloading rules, unpack the archive you obtained in some directory. In the following text I'm using package snortrules-snapshot-2910.tar.gz from the September 1st, 2011 (and which was obtained on October 1st, 2011).

What you'll get is the following structure:

$ ls -1
etc
preproc_rules
rules
so_rules

Move directories preproc_rules, rules and so_rules into /etc/snort directory. Also, move the content of etc directory to /etc/snort directory overwriting any files there.

In case you have SELinux enabled snort will be prevented from starting because of wrongly labeled preprocessor plugins. This manifests itself with the following line in the log files:

FATAL ERROR: Failed to load /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0//smtp.so: /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0//smtp.so: failed to map segment from shared object: Permission denied

Of course, the exact paths will differ depending on your exact installation. Note that snort runs as unconfined process and until I find a way to confine it this can be solved by running the following command in the directory /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0 (note that this is the directory reported in the log file!):

# chcon system_u:object_r:lib_t:s0 *

Configuration

The final step is snort configuration prior to running it. Master configuration is stored in the /etc/snort/snort.conf file, so open it with your favorite text editor and modify the following lines:

Line that reads ipvar HOME_NET any (cca. 45th line). Replace any with you network address. In my case that was 192.168.1.0/24.
Line that starts with dynamicpreprocessor directory words (cca. 234th line). Parameter is directory and change this parameter to /usr/lib64/snort-2.9.1_dynamicpreprocessor/.
Immediately following the previous line is the line that starts with dynamicengine. Change the parameter of that line with the value /usr/lib64/snort-2.9.1_dynamicengine/libsf_engine.so.
And, immediately following the previous line is the line that starts with words dynamicdetection directory whose parameter should be /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.0/.
Also, you have to create two empty files, /etc/snort/rules/white_list.rules and /etc/snort/rules/black_list.rules. Alternatively, you can disable reputation pretprocessor (find line that begins with preprocessor reputation and comment out the whole block.

Additionally, open /etc/sysconfig/snort file and look if there is something you need to change. For example, in case you have multiple interfaces on which you would like to run snort, you'll have to configure them in that file.

Finally, start snort with the following command:

# /etc/init.d/snortd stop

and, if snort should be started during the boot process, also run the following command:

# chkconfig snortd on

And, that's it! :)

Everything about nothing