Pages

Wednesday, June 1, 2011

Creating A Local Yum Repository on CentOS 5.x

In our University we have multiple systems those running on Linux platforms so it is good to have local repository to prevent from downloading the remote repository over and over again. Also in university day time our downloading speed is low because of high network traffic so having a local repository is a big advantage to update our all systems once and its save our internet bandwidth because it use fast LAN connection.
Today I'm going to explain how to create local Centos repository to update our local Centos systems. So for that first we need to have rcync  software and httpd server in Centos, default we can get these two in Centos otherwise you can use following command to install it.

su -c 'yum install httpd rsync'
Now we want to create directory to repo , that will hold all the RPM files. For that if we get all the Centos files from rsync we can create just one directory and rsync will automatically create folder structure according to it.

mkdir /var/www/html/CentOS/

If u copy Centos first from DVD or CDs you want to create Centos folder structure, because when rsync update your repository it used this folder structure to update for that.


su -c 'mkdir -p /var/www/html/centos/5/{os,updates}/x86_64'
Here 5 is your Centos vertion and  x86_64 is architecture, Then you can copy relevant files into   
/var/www/html/centos/5/os/x86_64/ 
 eg:su -c 'mount /dev/cdrom /mn
su -c 'cp -rv /mnt/CentOS /mnt/repodata /var/www/html/CentOS/5/os/x86_64/'
su -c 'umount /mnt' 
Now you can verify it's working by opening your Centos folder using browser (in localhost or remote). 
Eg:htp://your IP or 127.0.0.1/CentOS 
This how its look like in my server 
 
Now our repository server is ready since distributions change often we need to sync with the distribution update servers. So we use rsync for this job it scan directory tree of distribution servers and applies changes to local directory. So we need rsync mirror for updates.Centos OS Mirror List you can identify it with rsync.Now we need to create script to run this rsync when we need, following is the script that I used. (updaterepo.sh)


#!/bin/bash

s=1

for (( c=1; c<=3; c++ ))
do

if [ $s -ne 0 ]; then
rsync -avSHP --delete --exclude "local*" --exclude "isos" ftp.jaist.ac.jp::pub/Linux/CentOS/5.5 /var/www/html/CentOS/ 2> error_log.txt
s=$?

fi

done
cp /usr/local/test /usr/local/suc 
To run this script manually you can type  
./updaterepo
Updating this repository should done often so running script manually is not good so we can use cron job to run this script automatically in relevant time. For that enter  

crontab -e
this will promt your current crontab table so you can enter your crontab here as follow. When you save this crontab file will loaded and ready for use.  
0 2 * * * /myscripts/updaterepo 
In this crontab, myscript is updaterepo.sh in /myscripts directory  I'm going to run this script every morning at 2am. There are five fields for setting the date and time in cron tab that a program should be run. The five time settings are in the following order. 
  • Minutes - in therange of 0 - 59
  • Hour - in the range of 0 - 23  
  • Day of month - in the range 1 - 31 
  • Month - in the range 1 -12  
  • Day of week - in the range 0 - 6 (0 = Sunday)
Any field with a * means run every possible match, so for example a * in the day of month field will run the script every single day of the month at the specified time. More about crontab

That was all on the server part. Now client should chang his /etc/yum.repos.d/CentOS-Base.repo to get local mirror instance of other mirrors. for that you should change base url with your local ip. Its good to copy following my file and replace my IP with your one.

#replace your repo IP with my 10.16.91.1

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://10.16.91.1/CentOS/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#released updates 
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://10.16.91.1/CentOS/$releasever/updates/$basearch/

gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://10.16.91.1/CentOS/$releasever/addons/$basearch/

gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://10.16.91.1/CentOS/$releasever/extras/$basearch/

gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://10.16.91.1/CentOS/$releasever/centosplus/$basearch/

gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://10.16.91.1/CentOS/$releasever/contrib/$basearch/

gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
                                                           


Now you are done

 




Thursday, March 24, 2011

How to Enable SSL+ Apache2 on Ubuntu from source

Today I'm going to start System administration tutorial because currently I got opportunity to work in University Of Colombo Network Operating Center as trainee Network and System Administrator so I believe that I can get lot of experience in this period and  also I hope to share all the new knowledge with you all. Today I'm going to talk about enabling SSL in our own Ubuntu apache2 server. In here I'm not going to talk installing apache2 because easily you can do it but in enabling ssl is little bit hard and it gives some unexpected errors so in this post I'm going to show  how successfully enable ssl in our Apache2 server.


To enable ssl we need to enable mod_ssl with apache and install openssl for generate keys.
To configure secure server, use public key cryptography so we need to generate public and private key pair and need to get certificate. In my case I'm going to create self-signed certificate otherwise we can get certificate from Certificate Authority (CA) also using Google we can find several commercial and free CA's. So first I compile and install openssl to generate above things as follow.
01. Installing openssl

Here I used openssl source ( openssl-0.9.7e.tar.gz ) you can download it from www.openssl.org/source   then you should extract it as following


tar -zxvf  openssl-0.9.7e.tar.gz

 
or
tar -xvf and gunzip
After this you should cd into openssl-0.9.7 and can configure using following command.


./counfigure --prefix=/usr/local


using prefix we can specify directory for Openssl and next we can compile and install openssl using make and make install (first make then make install )commands





02. Generating key for Certificate Signing Request (CSR)
 We need to generate key for that we can use (I use mkdir ssl and create directory for keys and inside it)

        
         openssl genrsa -des -out keyname.key 1024
         


 during key generation we should enter password for our key.


03.  Then I create Certificate Signing Request (CSR)
        Using following command

      openssl req -new -key keyname.key -out csrname.csr


This command will prompt for a series of things as follow Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address...etc
Then we can submit this CSR file to a CA  (Certificate Authority)for process. They will use this CSR file and issue the certificate. On the other hand, we can create self-signed certificate using this CSR.




04.  Creating self-signed Certificate
Using following command.
          openssl x509 -req -days 365 -in csrname.csr -signkey keyname.key -out crtname.crt


Here I got error because my .key file is not inside my current directory so remember to execute this command inside relevant directory (my case directory ssl) that include your above generated key
After executing above command we can see our certificate using following command (following is my certificate).

                    Openssl x509 -in crtname.crt -text -noout

 
Now in my ssl directory include following files and I change file permission of all the keys to 400 as follow.
 

05. Enabling the ssl module for Apache2 using a2enmod ssl
 Now we finished creating Certificate now we can enable ssl module for apache2

        Sudo a2enmod ssl

            06. To enable ssl site we should add following things to our apache httpd.conf (/usr/local/apache2/conf) file 

#Instruct Apache2 to listen port 443

Listen 443

#Creating vertual host to listen 443
NameVirtualHost 127.0.0.1:443
ServerAdmin charith079@gmail.com



# I create ssl directory to kept my secure website
DocumentRoot /usr/local/apache2/htdocs/ssl
ServerName www.secure.com
ServerAlias www.secure.com
ErrorLog /usr/local/apache2/logs/server2log

       SSLEngine On

   # Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM
# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
#   Server Certificate That I create in above step:
SSLCertificateFile /usr/local/apache2/secure.com.crt
#   Server Private Key:
SSLCertificateKeyFile /usr/local/apache2/conf/secure.com.key
#   Server Certificate Chain these things related to my Certificat Athority(CA) I create different .crt #for my CA this not compulsory:
SSLCertificateChainFile /usr/local/apache2/conf/my-ca.crt
#   Certificate Authority (CA):
SSLCACertificateFile /usr/local/apache2/conf/my-ca.crt

 
07. Finally to get load ssl module to apache we need to add following line into httpd.conf

LoadModule ssl_module modules/mod_ssl.so

Now  restart apache server(/usr/local/apache2/bin apachectl restart or ./apachectl restart). Following is how my ssl site and certificate work  on my browser.






Errors
During this installation I got several errors and I found solutions for those errors using forums and Internet so I hope it may help you too .

01)when I compile openssl on my Ubuntu os I got following error.




I found this solution
 Unpack openssl-0.9.7m.tar.gz
edit Configure and Makefile and change all instances of -m486 to -mtune=i486 .

Run "tar -pczf openssl-0.9.7m.tar.gz openssl-0.9.7m" to repack dir, remove the unpacked directory. Make sure you do this before running ./config setup on any upgrades in the future until this is fixed in ./setup package.

02) When I configure httpd.conf and restart the server I got following error.


Solution:
It may Forget to add listen 443 line in httpd.conf
Also his occurs when several apache instances running same time we can use netstat and ps command and can kill instances.  

03) After finishing create virtual host for port 443 I got following error.




Solution:
This error gives when apache server couldn't load mod_ssl.so from usr/local/apache2/module directory. This can occur when we didn't configure apache (apache installation from source) with ssl enabling. in apache configuration we want to  use as follow to enable ssl

./configure  --enable-mods-shared=”all ssl” --with-ssl

Tuesday, August 3, 2010

Introduction to Network Concepts III(Functions of OSI Layers)

Today I'm going to talk about functions of OSI layers those I covered on previous post.In CCNA we want to learn first 4 layers (Physical, Data-Link, Network and Transport ) deeply and other three not that mach of important because final three layers are associate with Software developers and not with Network people. So let start this with Physical Layer. 
  • Physical Layer Implementation and functions.
When we considering the implementation of physical layer its have mainly three type of implementations.
  1. Ethernet 
  2. Token Ring (Used with IBM computers )
  3. Fiber Distributed Data Interface (FDDI- Dual optical fiber ring at 100Mbps )
Now a days Ethernet is a most popular and most common Local Area Network architecture invented by Dr. Robert M.Metcalfe at Xerox Palo Alto Research Center in 1972.physical layer encoding and transmission methods have become more complex over time so Ethernet specifications is broken into different category as different network media to be supported by the same technology. Also another imporant thing is around the same time the OSI model was developed, the IEEE developed the 802-standards such as 802.5 Token Ring and 802.11 for wireless networks. Both organizations exchanged information during the development which resulted in two compatible standards. The IEEE 802 standards define physical network components such as cabling and network interfaces.

Following are the characteristics of different Ethernet specifications.


 Summary of Ethernet 802.3 Characteristics 
Standard Speed Maximum Distance Media Type Connector Used
10BASE-2 10Mbps 185m RG-58 coaxial BNC
10BASE-5 10Mbps 500m RG-58 coaxial BNC
10BASE-T 10Mbps 100m Category 3, 4, or 5 UTP or STP RJ-45
10BASE-FL 10Mbps Up to 2km Fiber-optic SC or ST

The name 10BASE-2 breaks down as follows:
  • 10—10Mbps data transmission speed
  • Base—Represents baseband, the signaling mode where the media can only send one signal per wire at a time
  • 2—Actually refers to 185m or the maximum segment length (where 185 is rounded up to 200 and 2 is a multiple of 100m)
Traditional Ethernet supports data transfers at the rate of 10 Megabits per second (Mbps). Over time, as the performance needs of LANs have increased, the industry created additional Ethernet specifications for Fast Ethernet and Gigabit Ethernet. Fast Ethernet extends traditional Ethernet performance up to 100 Mbps and Gigabit Ethernet up to 1000 Mbps speeds.  

Summary of  of Fast Ethernet 802.3u Characteristics
Standard Speed Maximum Distance Media Type Connector Used
100BaseT4 100Mbps 100m Category 3, 4, or 5 UTP or STP RJ-45
100BaseTX 100Mbps 100m Category 5 UTP or STP RJ-45
100BaseFX 100Mbps 412m with half-duplex MM fiber Fiber-optic SC or ST
For more informations see here.

First Ethernet was commercially implemented by using thick coaxial cable so called it Thick Ethernet.

Thick Ethernet ( 10Base-5)

As In images all the computers are connected to the main backbone thick coaxial cable through AUI cables. Ethernet signals convert into AUI signals in MAU( Media Access Unite) or Transceiver.




 
Disadvantages Of Thick Ethernet
  • Inflexible-It can be very difficult to add or move a node once it is connected to the coaxial cable.
  • Fault Intolerant-Since Thick Ethernet use common physical cable to interconnect all the nodes, the failure of any part of the coaxial cable or any node has the ability to cause the entire network to go down.
  • Susceptible To Ground Loops- a ground loop occurs when a network cable is used to interconnect devices which are powered from different sources, and therefore a difference in voltage exists between two points on the network. The result is an electrical current flowing through the shields of the cable, which causes considerable noise to be introduced into the center conductor.
  • Very Difficult Troubleshooting- Troubleshooting such a failure can be extremely frustrating, as the only way to do it is to check each node and the cabling between them one at a time.
Thick Ethernet ( 10Base-2)
  
Thin Ethernet got its name because the coaxial cable it runs on is thinner than the cable used for Thick Ethernet so Thin Ethernet system has a much more flexible cable that makes it possible to connect the coaxial cable directly to the Ethernet interface in the computer. The Network Interface Card (NIC) performs the functions of a transceiver so that no external transceiver is needed for workstations.



Disadvantages Of Thin Ethernet
  • Difficult To Change-Any changes to the network will result in at least some "down time," as the bus must be broken and a new section spliced in at the point of the break.
  • Fault Intolerant-If any device or cable section attached to the network fails, it will most likely make the entire network go down.
  • Difficult Troubleshooting
  • Specialized Cable-The RG-58A/U coaxial cable used in 10 Base-2 networks can not be used for any other purpose. In the event that the network is changed to another type, then the cable will have to be replaced.
Because of all these disadvantage and considering implementation feasibility ,Twisted pair Ethernet was take place main advantage of this twisted pair is in office wiring we can use same wire for both  telephone and network wiring.

Twisted-Pair Ethernet (10Base-T)  

The twisted-pair Ethernet system operates over two pairs of wires, one pair used for receive data signals and the other pair used for transmit data signals. The two wires in each pair must be twisted together for the entire length of the segment, which is a standard technique used to improve the signal carrying characteristics of a wire pair.


Fiber Optic Ethernet (10BaseF)

The fiber optic media system use pulses of light instead of electrical currents to send signals, which provides electrical isolation for equipment at each end of a fiber link. The electrical isolation provides immunity from the effect of lightning strikes and the different ground currents found in separate buildings. This is essential when segments must travel outside a building to link separate buildings





To learn more about Ethernet check this Ethernet Guide .Next post I will cover connecting two devices, Cabling and Connectors   

Saturday, May 8, 2010

Introduction to Network Concepts II( OSI Model )

Today I'm going to talk about concept that very important in CCNA . This is a actually model that describe all the functionality of communication between two computers. This model created by International Organization for Standardization (ISO) in 1984 and its called OSI Model (Open System Interconnection Model).Don't confuse with following words.
  • ISO - International Organization for Standardization (Remember this as International Standard Organization)
  • OSI Model - Open System Interconnection Model
  • IOS - Inter networking Operating System.
Before 1984 in networks operate as one unite and all the equipments that use to computer have to made by one vendor. Like IBM or some other companies produce all the parts of the computer (both hardware and software ) and one IBM computer could communicate with only another IBM computer. so this make big restriction for improvement of global communication. As a solution for this problem ISO introduce this ISO/OSI reference model.

This OSI model is a layered model and its have seven layers purpose of this layers are provide clearly define functions to each layer. Every layer have own functionality and standard for both inputs and outputs. This standards helps to manufacturing companies to create interoperable network devices and software.
In Cisco CCNA mainly talking about layer 2 and layer 3 functionality on OSI model but OSI model will be use throughout your networking career.Following are the layers of the OSI model and you should remember this sequence of OSI layers.


To remember this sequence of OSI layers you can use following sentences.

All People Seems To Need Data Processing.
or other way
Programmer Do Not Throw Sausage Pizza Away.

This top-down explanation of ISO model explain, from starting with user interact with application layer to entering bit stream into physical medium from physical layer in between this two layers other five layer perform their own functions see bottom video.

Later on I'm going describe more about this ISO model and functions of each layer now lets see some main functions and protocols of each layers.

1.Application Layer (L7)
This is the layer where the end users themselves interact with the network in this layer interact with operating system and applications whenever the user want to transfer files ,read massage or perform any other activity related to network.
  • L7 Protocols: Email protocols SMTP and POP3, Telnet, HTTP [Hyper Text Transfer Protocl], FTP[File Transfer Protocol], SNMP[Simple Network Management Protocol]
  • L7 Network Devices: Gateway redirecter working on this layer.
2.Presentation Layer(L6)
This layer ensures properly formatting data also converting user data to bits that coming from application layer and other end controlling how data present to application layer. other activities of this layer are

- Compatibility with the operating system
- proper encapsulation of data for network transmission.
- Data encryption, Decryption, Compression, and translation.

If you open a file in a word processing application, and you got pages of unrecognizable characters, that's a presentation layer issue.
  • L6 Protocols: ASCII, JPEG, GIF, MIDI, TIFF, EBCDIC, AVI, MPEG, MP3
  • L6 Network Devices: Gateway redirecter working on this layer
3.Session Layer (L5)
This layer is the manager of the two way communication between two remote hosts.this is the layer that handles the creation, maintennance, and teardown of communications between those two hosts. The overall communication itself is referred to a session.This offering three different modes Simplex, Half Duplex, Full Duplex.
  • L5 Protocols: The protocols that work on the session layer are NetBIOS, Mail Slots, Names Pipes, RPC
  • L5 Network Devices: Gateway
above three layers on OSI model known as Application set of OSI model and other 4 layers known as Transport set.

4.Transport Layer (L4)
This layer mainly provide reliable(TCP) or unreliable(UDP) services for data transfer and segmentation of upper layer data. other functions of this layer.

- Establish end to end connectivity between application
- Defines flow control
- Transport layer also provides the acknowledgement of the successful data transmission and retransmits the data if no error free data was transferred.
- error handling and connectionless oriented data deliver in the network.
  • L4 Protocols:TCP,UDP, SPX, NETBIOS, ATP and NWLINK.
  • L4 Network Devices:The Brouter, Gateway and Cable tester work on the transport layer.
5.Network Layer (L3)
This is the layer some time known as "Cisco layer". Defines logical addressees associated with a specific protocol using that it decide how to data transmit between network devices. Network layer routes the packets according to the unique network addresses. Router works as the post office and network layer stamps the letters (data) for the specific destinations.
  • L3 Protocols:IP, ICMP, ARP, RIP, OSI, IPX and OSPF
  • L3 Network Devices:Router, Brouter, Frame Relay device and ATM switch devices
6.Data Link Layer (L2)
Phisycal source and destination addresses are perform on this layer.Only error detection error correction is not perform.
-Identifies the higher layer protocol(Type or SAP)
-Frame sequencing
-Flow control
-Logical Link Control (LLC)performs Link establishment
-Media Access Control (MAC) Performs Access method
  • L2 Protocols:802.3 CSMA/CD (Ethernet) ,802.4 Token Bus (ARCnet),802.5 Token Ring,802.12 Demand Priority
  • L2 Network Devices:Bridge Switch, ISDN, Router, Intelligent Hub, NIC
7.Physical Layer (L1)
Physical layer defines and cables, network cards and physical aspects only understand 'ones' and 'zeros'.It also provides the interface between network and network communication devices.It defines the physical characteristics of the network such as connections, voltage levels and timing.
  • L1 Protocols:ISDN, IEEE 802 and IEEE 802.2
  • L1 Network Devices:Hubs, Repeaters
In this post I only try to give some introduction to functions of OSI layers next post I will talk more about OSI model layers , its protocols and its devices.


 
°.MคNןU.°Powered by Blogger