To Systems Overview - To Software Software - To Software-Assessment - Software/Assessment
Systems - Development Image (VMWare)
Get your local Testserver VM
Download the image
- Import it into your VM player (usually you can just do a double click on the file you just downloaded)
If you know you will need the signer (i.e. if you want to produce certificates on the test server) you should now set up the serial connection as described below.
- Start the imported VM
Start your web browser and navigate to http://cacert1/ if you can already see the web site the VM has successfully configured itself using DHCP and you're done. Congratulations.
- If you're still reading this then probably something went wrong in the automatic network setup, but fear not it's probably just a minor problem. Just bear with me for a second.
Log in to the server as "root" using the password "it-sls".
The VM might use a different keyboard layout than your normal operating system so it's best to use the minus from the number block on your keyboard rather than the one near the letters
If you haven't set up the serial connection the console will probably print annoying stuff all the time (ttyS0: LSR safety check engaged!). Just ignore it and keep on typing. Once you have logged in you can type "/etc/init.d/commmodule stop" and after that "/etc/init.d/commmodule-signer stop" (using the division and minus sign from the number block) and the noise will stop for now.
Execute "dpkg-reconfigure console-data", choose "Select keymap from arch list" and in the following screens select the keyboard layout that comes as close to yours as possible. From now on you should be able to type as you're used to.
Execute "ifconfig | head -n20". If there are two sections called ethX (even -> cacert1, odd -> secure1) both having a line starting with inet addr: (not inet6). You need to put that ip address into your local (i.e. non-VM) /etc/hosts (Linux, probably MacOS too) or C:\Windows\system32\drivers\etc\hosts (Windows) see the Wikipedia entry for more information (mapping the hostname cacert1 to the IP shown for the interface with the even number and secure1 to the one with the odd number).
If there were no such entries in the ifconfig listing then the interfaces couldn't be configured using DHCP and you have to set an IP address manually:
Start an editor to work on the file /etc/network/interfaces (e.g. by typing "nano /etc/network/interfaces")
On the lines "map foo cacert1-dhcp" and "map foo secure1-dhcp" replace the dhcp with static
In the sections "iface cacert1-static" and "iface secure1-static" adjust the IP adresses, netmasks and gateway according to your needs
Save the file and exit the editor (for nano you can do that by hitting CTRL+X and then confirming with Y and ENTER)
Restart the network interfaces by executing "/etc/init.d/networking restart" which may print some errors but that's normal for this setup, try "ifconfig | head -n20" to see whether it worked
Put the mapping from the hosts (cacert1 and secure1, it's important that they are mapped exactly as in the /etc/network/interfaces) to the configured IPs in your local (i.e. non-VM) /etc/hosts as mentioned above.
- You're done. All other settings will automatically update themselves, no need to fiddle with the apache configuration and such
Putting the entries into the /etc/hosts is essential if it can't be resolved automatically. You can't use the IP address directly in your browser as the server will redirect you to the host name if you don't use the right one (which is configured to be cacert1/secure1 not your IP) and if that's not present in the /etc/hosts your browser can't resolve that hostname and show you an error
configuration virtual machine for host only / for nat
(00:45:31) dirk: auto lo eth0 eth1 (00:45:32) dirk: iface lo inet loopback (00:45:45) dirk: iface eth0 inet static (00:45:55) dirk: address 172.16.128.113 (00:46:05) dirk: netmask 255.255.255.0 (00:46:12) dirk: iface eth1 inet static (00:46:21) dirk: address 192.168.172.113 (00:46:29) dirk: netmask 255.255.255.0 (00:46:37) dirk: gateway 192.168.172.2 (00:47:02) dirk: ... wichtig ist beim letzten eintrag die .2 ... und nicht (wie man sonst vermuten wuerde) die .1 (00:47:49) dirk: ... (00:48:02) dirk: datei /etc/network/interfaces
Configure USB / Serial device
VirtualBox
- Open the virtual machine settings
- Go to the "Serial Ports" section
- Check "Enable Serial Port" and choose the "Port Mode" as "Host Pipe"
- Check "Create Pipe"
Enter
- Open a command line and execute
cd /path/to/virtual_machine/cacert1.it-sls.de/ ln -s serial.pipe serial.pipe.lnk
Go to the second tab of the serial port settings of VirtualBox ("Port 2")
- Check "Enable Serial Port" and choose the "Port Mode" as "Host Pipe"
Do NOT check "Create Pipe"
Enter
VMWare
- to get the signer process running and communicate with the testserver ...
- at the end 2 serial connections have to be established under the VM to get the signer process and testserver to communicate to each other process thru a named pipe
usb/serial configuration connecting serial device under vmware http://www.vmware.com/pdf/server_vm_manual.pdf p. 220 ff Connecting an Application on the Host to a Virtual Machine incl. Connecting Two Virtual Machines communication thru named pipe For a serial pipe on a Linux host, enter /tmp/<socket> For a serial pipe on a Windows host, the pipe name must follow the form \\.\pipe\<namedpipe>
configure serial ports under vmware
serial ports configuration under vmware port 1 + port 2
- Serial ports configuration under ESX
ser port 1 use named pipe: cacert#signer near end Client far end A process Yield CPU on poll enabled ser port 2 use named pipe cacert#signer near end Server far end A process Yield CPU on poll enabled
Alternate Manual Modification Options on RAW ESX VM for local use
- Below you'll find a couple of configuration options, that you need if you're trying to modify one of the older images or to reconfigure one of the preconfigured images to your needs (eg connect from a mysql management console to the server)
ifconfig -> eth1 10.38.6.79 modify to your needs /etc/network/interfaces eth2 -> eth0 ? /etc/hosts replace hostnames + replace value for git repository 212.38.6.92 git-cacert.it-sls.de git-cacert (for successful git pull ,-) .....) /etc/timezone reboot /root/firewall.sh drop but don't log some undesired local traffic replace 10.38.6.0/24 -> /etc/mailname replace hostname /etc/resolv.conf replace name servers /etc/default/bootlogd (enable bootlogd) /etc/hostname modify hostname ? /home/cacert/www/includes/mysql.php modify hostnames /home/cacert/www/www/images/cacert4.png (replace ?) /home/cacert/etc/hosts (for chroot'ed environment) update servername(s) + ip's + replace value for git repository 212.38.6.92 git-cacert.it-sls.de git-cacert (for successful git pull ,-) .....) /home/cacert/etc/resolv.conf update nameservers ( /home/cacert/etc/apache/httpd.conf ) /home/cacert/etc/apache2/sites-enabled/@cacert (changed in 2011-10-26 revision) NameVirtualHost 10.38.6.74 ff. replace ??? 5. get rid of the firewall, ip4 allow, ip6 drop /root/firewall.sh iptables --flush INPUT iptables --flush FORWARD iptables --flush OUTPUT ip4tables -P INPUT ACCEPT ip4tables -P FORWARD ACCEPT ip4tables -P OUTPUT ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP 6. connect remote to mysql chown mysql:mysql /var/lib/mysql/* chown mysql:mysql /var/lib/mysql/mysql/* mysql> grant all on mysql.* to 'your-user-here'@'your-remote-machine-ip' with grant option; grant all on cacert.* to 'your-user-here'@'your-remote-machine-ip' with grant option; set password for 'your-user-here'@'your-remote-machine-ip' = password('your-password-here'); (should solve the problem to connect with a remote mysql admin or browser) your-remote-machine-ip eg your local ip 192.168.178.123, and/or default '%' /etc/mysql/my.cnf bind-address 127.0.0.1 -> machine IP (this requires modifications to mysql.php too) Alternate: bind-address 0.0.0.0 // (which is all interfaces)
Additional optional modifications
apt-get lenny/main is mostly unsupported alternate: edit /etc/apt/source.list add lines: deb http://archive.debian.org/debian-archive/debian/ lenny main deb-src http://archive.debian.org/debian-archive/debian/ lenny main execute: apt-get update 1. connect a windows share -> install smbfs apt-get install smbfs echo 'smbfs' >> /etc/modules mkdir -p /mnt/<your-share-servername> mount -t smbfs -o username=<username for share access> //<yourservername>.<dnsdomain>.<TLD>/c$ /mnt/<yourservername> on permisssion denied error 13 try mount -t cifs -o username=<username for share access>,password=<password> //<yourservername>.<dnsdomain>.<TLD>/c$ /mnt/<yourservername> (detail instructions see http://www.debian-administration.org/articles/165) 2. install ntpd apt-get install ntp source: http://www.cyberciti.biz/faq/debian-ubuntu-linux-install-ntpd/ configure /etc/ntp.conf
Developer Image in kvm/qemu
Convert the ova image to a qcow2 image, a guide to do this can be found at http://blog.bodhizazen.net/linux/convert-virtualbox-vdi-to-kvm-qcow/
- Import the qcow image into a new virtual machine
- Configure the virtual machine with 2 network interfaces
- In the grub menu, change the root block device from sda1 to vda1
- Boot the machine
- Log in and stop the commmodule processes to remove the spam from the console (see some sections above)
- Change the entries in /etc/fstab from sda to vda
Change the entries in /boot/grub/menu.lst from sda to vda (you can also try to run grub-mkdevicemap && update-grub - haven't tried that yet)
- Remove the /etc/udev/rules.d/70-persistent-net.rules to have your network cards mapped as eth0 and eth1
- Depending on your requirements, you can also adjust /etc/network/interfaces to assign IPs
Changes to testserver image T8 (**)
adjust ip settings on vm
- $EDITOR /home/cacert/etc/apache2/sites-enabled/cacert
exchange ip in VirtualHost section to *:443
add infront of first SSL vhost: NameVirtualHost *:443
- save file
- chroot /home/cacert
- apachectl restart (inside of chroot)
changes for git on vm to allow an automatic update push of testserver-stable branch
- $EDITOR /home/cacert/www/.git/hooks/post-update
- add infront of exec: git checkout -f testserver-stable
- save changes
- in directory /home/cacert/www add permissions for own user: chown -R user:group . on host system add path to loacl testserver to git
git remote add localtest ssh://un@<ip>/home/cacert/www
Testserver Certs period changes
changes to apply to signer to change certs periods
- to switch certs expire period for testing from 6 monts/1 year/2 years to 3 days/7 days/30 days and back
Logs and places within system
logs in testserver(s) /home/cacert/var/log/apache2/*.log eg error.log, access.log /home/cacert/git/cacert/CommModule/logfile* /home/signer/cacert-devel/CommModule/logfile* /var/log/mysql/mysql*.log
Links
How to prepare an image that was just exported from ESX
remark WIN7 vmplayer 3.1 must run in WindowsXP mode see http://www.infernodevelopment.com/forum/Thread-VMWare-Player-Windows-7-Internet-Not-Working
1 vmware-host is running on a VMware ESX Server 3i 3.5.0 build-207095 revision. vm-versionhw-levels defines 3i 3.5.0 as HW level 4.