This tutorial shows a quick way of installing a LAMP server (Linux + Apache + MySQL + PHP/Perl together commonly known as LAMP Server.) on CentOS and RHEL server systems.
To set up a LAMP server on a fresh VPS/Dedicated server running CentOS 5.0 with atleast 256mb of RAM. We will also be installing Webmin, a free server control panel for linux. If you are using a Debian/Ubuntu refer to this article.
Apache is the most popular Web HTTP server for a Linux servers.
yum install httpd httpd-devel
We might need the httpd-devel libraries to compile and install other modules from the sources, just to be on the safer side. /etc/httpd/conf/httpd.conf - Apache configuration file location.
/etc/init.d/httpd start
MySQL is a widely used open source database server on most Linux servers and can very well integrate to PHP and Apache server on CentOS/RHEL.
yum install mysql mysql-server mysql-devel
If you attempt to type mysql in command prompt, you will be getting this nasty error.
ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’
This is because you are not running the mysqld daemon before launching the mysql client. The file /var/lib/mysql/mysql.sock will be automatically created upon running the first instance of mysql.
To fix:
First start the mysql daemon, then type mysql:
/etc/init.d/mysqld start
mysql
By default the root password is empty for the mysql database. It is a good idea to change the mysql root password to a new one from a security point of view.
mysql> USE mysql;
mysql> UPDATE user SET Password=PASSWORD(‘newpassword’) WHERE user=’root’;
mysql> FLUSH PRIVILEGES;
Once done, check by logging in:
mysql -u root -p
Enter Password:
To create a new mysql user ‘guest’ with ‘all privileges’ on the database ‘demo’:
mysql > create database demo
mysql >GRANT ALL PRIVILEGES ON demo.* TO ‘guest’@'localhost’ IDENTIFIED BY ‘guest’ WITH GRANT OPTION;
mysql> UPDATE user SET Password=PASSWORD(‘guest’) WHERE user=’guest’;
That’s it! MySQL is ready! Don’t forget to remember the root password as we might be using it with phpmyadmin.
Installing PHP5 with the necessary modules is so easy and can be configured for both the Apache and mysql environment.
yum install php php-mysql php-common php-gd php-mbstring php-mcrypt php-devel php-xml
Don’t forget to install php-gd (gd library). It is very important if we plan to run captcha scripts on our server and so as other which are dependent on mysql and other functions.
Restart Apache to load php.
/etc/init.d/httpd restart
Create a file named /var/www/html/test.php with the following phpinfo() function inside php quotes.
// test.php < ?php phpinfo(); ?>
Then point your browser to http://ip.address/test.php.
That’s it! You should see a php configuration file displaying all kind of paths and installed modules.
Closely observe the installed configuration on your server.
* PHP Paths (php.ini path)
* Apache paths and Loaded Modules (mod_security, mod_evasive if installed_
* PHP GD Library
* MySQL paths and other information
phpMyAdmin is a free web based MySQL database Administration Tool. Without phpMyAdmin it is almost impossible to mysql db operations in the command line. phpMyAdmin has become so convenient and it is absolutely sought by most webmasters to be present along with the mysql server.
yum install phpmyadmin
Point your browser to: http://ip.address/phpmyadmin.
You might encounter the following errors while configuring phpmyadmin.
Forbidden
You don’t have permission to access /phpmyadmin/ on this server.
To fix:
Edit the /etc/httpd/conf.d/phpmyadmin.conf and uncomment the line deny from all.
nano /etc/httpd/conf.d/phpmyadmin.conf
Order Deny,Allow # Deny from all Allow from 127.0.0.1
Error
The configuration file now needs a secret passphrase (blowfish_secret)
To fix:
nano /usr/share/phpmyadmin/conf.inc.php
Look for a line and enter any password. Just dont leave it empty!
$cfg['blowfish_secret'] = 'mydemopass'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
It worked for me using the above methods!
Log into the phpmyadmin with the mysql root password we changed while installing the mysql database.
Webmin a free server hosting control panel for Linux. It is a web based hosting administration tool and can be handy to tweak settings in your server if you are a beginner to Linux! You can download webmin here. Since webmin cannot be installed using yum, we can download an RPM package and install it on our server.
wget
rpm – i webmin-1.410-1.noarch.rpm
That should be a pretty easy installation! Remember webmin uses port 10000 and should not be blocked by your firewall.
Point your browser to: http://ip.address:10000
You should see a webmin login. But we don’t know the login and password yet! To set up the webmin password run the script below…
/usr/libexec/webmin/changepass.pl /etc/webmin admin
Log in with the admin username and new webmin password!
To uninstall webmin, just run:
/etc/webmin/uninstall.sh
We want the Apache and mysql to be loaded at every boot so we switch them on using chkconfig:
chkconfig httpd on
chkconfig mysqld on
You can also place comments in my blog. I would appreciate any feedbacks as well!
This tutorial was written and contributed to HowToForge by Mr.Balakrishnan who currently runs MySQL-Apache-PHP.com. Permission is fully granted to copy/republish this tutorial in any form, provided a source is mentioned with a live link back to the authors site.
This tutorial will walk you through setting up DHCP fail over on CentOS 5.1 using the default ISC dhcp server, this can easily be adapted to any other Linux distro out there. You will most likely need Failover in environments where network down time can not be tolerated. My home is running a DLNA setup so I need my devices to be able to obtain network parameters at all times.
Since DHCP and DNS often go hand in hand i will be configuring a local DNS server which allows for dynamic updates, such that hostnames will be automatically updated to DNS when ever a lease is granted to a client.
My configuration with use the following please substitute to reflect your own network.
# yum install dhcp -y
# yum install bind bind-chroot caching-nameserver -y
# yum install ntp -y
Backup your original config on the Master 192.168.1.2:
# cp /etc/dhcpd.conf /etc/dhcpd.conf.orig
Edit the DHCP configuration /etc/dhcpd.conf on the master 192.168.1.2 and add the following, read the comments to understand the options:
authoritative; # server is authoritativeoption domain-name "home.topdog-software.com"; # the domain name issuedoption domain-name-servers 192.168.1.2,192.168.1.3; # name servers issuedoption netbios-name-servers 192.168.1.2; # netbios serversallow booting; # allow for booting over the networkallow bootp; # allow for bootingnext-server 192.168.1.2; # TFTP server for bootingfilename "pxelinux.0"; # kernel for network bootingddns-update-style interim; # setup dynamic DNS updatesddns-updates on;ddns-domainname "home.topdog-software.com"; # domain name for DDNS updateskey rndckey { algorithm hmac-md5; secret "xxxxxxxxxx"; # get from the /etc/rndc.key file}zone home.topdog-software.com # forward zone to update{ primary 127.0.0.1; # update on the local machine key rndckey; # key to use for the update}zone 1.168.192.in-addr.arpa # reverse zone to update{ primary 127.0.0.1; # update on the local machine key rndckey; # key for update}failover peer "home-net" { # fail over configuration primary; # This is the primary address 192.168.1.2; # primarys ip address port 647; peer address 192.168.1.3; # peer's ip address peer port 647; max-response-delay 60; max-unacked-updates 10; mclt 3600; split 128; load balance max seconds 3;}subnet 192.168.1.0 netmask 255.255.255.0 # zone to issue addresses from{ pool { failover peer "home-net"; # pool for dhcp leases with failover bootp not allowed deny dynamic bootp clients; option routers 192.168.1.254; range 192.168.1.25 192.168.1.50; } pool { # accomodate our bootp clients here no replication and failover option routers 192.168.1.254; range 192.168.1.51 192.168.1.55; } allow unknown-clients; ignore client-updates;# cp /etc/dhcpd.conf /etc/dhcpd.conf.orig
Edit the DHCP configuration /etc/dhcpd.conf on the slave 192.168.1.3 and add the following, read the comments to understand the options:
authoritative; # server is authoritative option domain-name “home.topdog-software.com”; # the domain name issued option domain-name-servers 192.168.1.2,192.168.1.3; # name servers issued option netbios-name-servers 192.168.1.2; # netbios servers allow booting; # allow for booting over the network allow bootp; # allow for booting next-server 192.168.1.2; # TFTP server for booting filename “pxelinux.0″; # kernel for network booting ddns-update-style interim; # setup dynamic DNS updates ddns-updates on; ddns-domainname “home.topdog-software.com”; # domain name for DDNS updates key rndckey { algorithm hmac-md5; secret “xxxxxxxxxx”; # get from the /etc/rndc.key file on the master } zone home.topdog-software.com # forward zone to update { primary 192.168.1.2; # update on the local machine key rndckey; # key to use for the update } zone 1.168.192.in-addr.arpa # reverse zone to update { primary 192.168.1.2; # update on the local machine key rndckey; # key for update } failover peer “home-net” { # fail over configuration secondary; # This is the secondary address 192.168.1.3; # our ip address port 647; peer address 192.168.1.2; # primary’s ip address peer port 647; max-response-delay 60; max-unacked-updates 10; mclt 3600; load balance max seconds 3; } subnet 192.168.1.0 netmask 255.255.255.0 # zone to issue addresses from { pool { failover peer “home-net”; # pool for dhcp leases with failover bootp not allowed deny dynamic bootp clients; option routers 192.168.1.254; range 192.168.1.25 192.168.1.50; } pool { # accomodate our bootp clients here no replication and failover option routers 192.168.1.254; range 192.168.1.51 192.168.1.55; } allow unknown-clients; ignore client-updates; }
Back up the the Bind configuration on the master:
# cp /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.caching-nameserver.conf.orig
Edit the configuration to reflect the config below.
options { directory “/var/named”; dump-file “/var/named/data/cache_dump.db”; statistics-file “/var/named/data/named_stats.txt”; memstatistics-file “/var/named/data/named_mem_stats.txt”; query-source port 53; query-source-v6 port 53; allow-query { localhost; localnets; }; }; include “/etc/rndc.key”; include “/etc/named.rfc1912.zones”; zone “home.topdog-software.com” { type master; file “data/home.topdog-software.com.hosts”; allow-transfer { 192.168.1.3; }; allow-update { key “rndckey”; }; allow-query { any; }; }; zone “1.168.192.in-addr.arpa” { type master; file “data/1.168.192.in-addr.arpa.hosts”; allow-transfer { 192.168.1.3; }; allow-update { key “rndckey”; }; allow-query { any; }; };
Back up the the Bind configuration on the slave:
# cp /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.caching-nameserver.conf.orig
Edit the configuration to reflect the config below.
options { directory “/var/named”; dump-file “/var/named/data/cache_dump.db”; statistics-file “/var/named/data/named_stats.txt”; memstatistics-file “/var/named/data/named_mem_stats.txt”; query-source port 53; query-source-v6 port 53; allow-query { localhost; localnets; }; }; include “/etc/rndc.key”; include “/etc/named.rfc1912.zones”; zone “home.topdog-software.com” { type slave; masters { 192.168.1.2; }; file “data/home.topdog-software.com.hosts”; }; zone “1.168.192.in-addr.arpa” { type slave; masters { 192.168.1.2; }; file “data/1.168.192.in-addr.arpa.hosts”; };
Create the zone files on the master
$ORIGIN .$TTL 38400home.topdog-software.com IN SOA ns1.home.topdog-software.com. andrew.topdog.za.net. ( 2008061629 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 38400 ; minimum (10 hours 40 minutes) ) NS ns1.home.topdog-software.com. NS ns2.home.topdog-software.com.ns1 IN A 192.168.1.2ns2 IN A 192.168.1.3
$ORIGIN .$TTL 38400 ; 10 hours 40 minutes1.168.192.in-addr.arpa IN SOA ns1.home.topdog-software.com. andrew.topdog.za.net. ( 2008061644 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 38400 ; minimum (10 hours 40 minutes) ) NS ns1.home.topdog-software.com. NS ns2.home.topdog-software.com.2 IN PTR ns1.home.topdog-software.com.3 IN PTR ns2.home.topdog-software.com.
NTP is required because the two DHCP servers need to be in sync for fail over as well as DDNS to take place. You can run a full fledged NTP server if you want, i will only provide you with instructions on using cron to sync NTP to an external NTP server every hour. You need to do this on BOTH servers.
#!/bin/bash#ntpdate -s 0.rhel.pool.ntp.org
# /etc/cron.hourly/timesync
Well we are done, let’s fire up the services and begin testing.
# service named start
# service dhcpd start
# service named start
# service dhcpd start
You should see the following in your logs on the master:
Jun 16 13:58:56 kudusoft dhcpd: failover peer home-net: I move from recover to startup Jun 16 13:58:56 kudusoft dhcpd: dhcpd startup succeeded Jun 16 13:58:56 kudusoft dhcpd: failover peer home-net: I move from startup to recover Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer moves from unknown-state to recover Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: requesting full update from peer Jun 16 13:59:12 kudusoft dhcpd: Sent update request all message to home-net Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer moves from recover to recover Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: requesting full update from peer Jun 16 13:59:12 kudusoft dhcpd: Update request all from home-net: sending update Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer update completed. Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: I move from recover to recover-done Jun 16 13:59:13 kudusoft dhcpd: Sent update done message to home-net Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: peer moves from recover to recover-done Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: I move from recover-done to normal Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: peer moves from recover-done to normal Jun 16 13:59:14 kudusoft dhcpd: pool 914eb10 192.168.1/24 total 26 free 25 backup 0 lts -12 Jun 16 13:59:14 kudusoft dhcpd: pool 914eb10 192.168.1/24 total 26 free 25 backup 0 lts 12
And on the slave:
Jun 16 13:59:12 shaka dhcpd: Sending on Socket/fallback/fallback-net Jun 16 13:59:12 shaka dhcpd: failover peer home-net: I move from recover to startup Jun 16 13:59:12 shaka dhcpd: failover peer home-net: peer moves from unknown-state to recover Jun 16 13:59:12 shaka dhcpd: dhcpd startup succeeded Jun 16 13:59:12 shaka dhcpd: failover peer home-net: requesting full update from peer Jun 16 13:59:12 shaka dhcpd: failover peer home-net: I move from startup to recover Jun 16 13:59:12 shaka dhcpd: Sent update request all message to home-net Jun 16 13:59:12 shaka dhcpd: Sent update done message to home-net Jun 16 13:59:12 shaka dhcpd: Update request all from home-net: nothing pending Jun 16 13:59:12 shaka dhcpd: failover peer home-net: peer moves from recover to recover-done Jun 16 13:59:14 shaka dhcpd: failover peer home-net: peer update completed. Jun 16 13:59:14 shaka dhcpd: failover peer home-net: I move from recover to recover-done Jun 16 13:59:14 shaka dhcpd: failover peer home-net: peer moves from recover-done to normal Jun 16 13:59:14 shaka dhcpd: failover peer home-net: I move from recover-done to normal Jun 16 13:59:14 shaka dhcpd: pool 9d78ad8 192.168.1
}
Back up your original config on the Slave 192.168.1.3:
This tutorial explains how you can install MySQL Proxy on a CentOS 5 (x86_64) system. MySQL Proxy is a simple program that sits between your client and MySQL server(s) that can monitor, analyze or transform their communication. Its flexibility allows for unlimited uses; common ones include: load balancing; failover; query analysis; query filtering and modification; and many more.
On a fresh minium Centos 5 final x86_64 install:
yum install gcc.x86_64 libevent.x86_64 libevent-devel.x86_64 readline.x86_64 readline-devel.x86_64 ncurses.x86_64 ncurses-devel.x86_64 glib2.x86_64 glib2-devel.x86_64
cd /usr/local/src/
wget http://www.lua.org/ftp/lua-5.1.3.tar.gz
tar zxvf lua-5.1.3.tar.gz
cd lua-5.1.3
make linux
make install
wget http://dev.mysql.com/get/Downloads/MySQL-Cluster-6.2/mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23.tar.gz/\
from/http://www.mirrorservice.org/sites/ftp.mysql.com/
tar xzvf mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23.tar.gz
ln -s mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23 mysql
PATH=$PATH:/usr/local/mysql/bin
export PATH
Edit your .profile to make this permanent:
# .bash_profile# Get the aliases and functionsif [ -f ~/.bashrc ]; then . ~/.bashrcfi# User specific environment and startup programsPATH=$PATH:/usr/local/mysql/bin:$HOME/binexport PATHunset USERNAME
wget http://dev.mysql.com/get/Downloads/MySQL-Proxy/mysql-proxy-0.6.1.tar.gz/from/http://www.mirrorservice.org/sites/ftp.mysql.com/
tar zxvf mysql-proxy-0.6.1.tar.gz
cd mysql-proxy-0.6.1
./configure LDFLAGS=”-lm -ldl” LUA_CFLAGS=”-I/usr/local/include/” LUA_LIBS=/usr/local/lib/liblua.a
make
make install
Let’s create a sample LUA script so you can see some logs.
mkdir /var/log/mysql-proxy/
mkdir -p /usr/local/mysql/lua-scripts/
vi /usr/local/mysql/lua-scripts/simple-log.lua
(see: http://www.oreillynet.com/pub/a/databases/2007/07/12/getting-started-with-mysql-proxy.html?page=3
Script modified to get IP and to use proxy.connection.server.thread_id.)
local log_file = '/var/log/mysql-proxy/mysql.log'local fh = io.open(log_file, "a+")function read_query( packet )if string.byte(packet) == proxy.COM_QUERY then local query = string.sub(packet, 2) fh:write( string.format("%s %6d -- %s :IP %s :USER: %s\n", os.date('%Y-%m-%d %H:%M:%S'), proxy.connection.server.thread_id, query, proxy.connection.client.address, proxy.connection.client.username)) fh:flush()endendNow start up your proxy using the variable –proxy-backend-addresses to point the proxy at your servers.
/usr/local/sbin/mysql-proxy –proxy-lua-script=/usr/local/mysql/lua-scripts/simple-log.lua –proxy-backend-addresses=192.168.1.33:3306 –proxy-backend-addresses=192.168.1.34:3306 –daemon
192.168.1.33 and 192.168.1.34 are the MySQL nodes that the proxy will be connecting to.
Allow connections for the proxy through your firewall:
### ALLOWED TO CONNECT TO MYSQL PROXY###### LOCAL ADMINS-A INPUT -s SRC-IP -d DST-IP -p tcp -m state --state NEW -m tcp --dport 4040 -j ACCEPT
Where DST-IP is my proxy server and SRC-IP is my local box (client machine).
Now from your local box (not the mysql-proxy server) try and connect to the backend databases through the proxy ( user with relevent permissions must exist in the db).
mysql -u dba_admin -p -h PROXY-SERVER -P 4040
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 16 to server version: 5.1.23-ndb-6.2.15
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.
mysql> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| Imap_Forms |
| mysql |
| test |
+——————–+
4 rows in set (0.01 sec)
mysql> quit
Bye
N.B. The proxy uses the port 4040 instead of 3306.
Test the mysql-proxy admin interface from the mysql-proxy server:
mysql -u root -p -h 127.0.0.1 -P 4041
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.20-agent MySQL Enterprise Agent
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.
mysql> select * from proxy_connections;
+——+——–+——-+——+
| id | type | state | db |
+——+——–+——-+——+
| 0 | server | 0 | |
| 1 | proxy | 0 | |
| 2 | server | 10 | |
+——+——–+——-+——+
3 rows in set (0.00 sec)
mysql>quit
bye
Job done! Now read on:
http://dev.mysql.com/tech-resources/articles/proxy-gettingstarted.html
http://forge.mysql.com/wiki/MySQL_Proxy
http://www.oreillynet.com/pub/a/databases/2007/07/12/getting-started-with-mysql-proxy.html?page=1
postconf -m
btree
cidr
environ
hash
ldap
mysql
nis
proxy
regexp
static
unix
If MySQL doesn’t appear, check you installation and recompile postfix again.
telnet mail.example.co.tz 25
(S: = server, C: = client):
S: 220 mail.example.co.tz ESMTP Postfix
C: EHLO example.co.tz
S: 250-mail.example.co.tz
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
S: 250-XVERP
S: 250 8BITMIME
C: quit
Notice the two new lines?
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
These are the lines that Postfix issues when it offers the use of SMTP AUTH.
telnet mail.example.co.tz 25
This section applies for both NON-RPM and RPM installation.
In our HOWTO the smtpd daemon is in /usr/libexec/postfix/. So we do the following at the command line:
ldd /usr/libexec/postfix/smtpd
libsasl.so.7 => /usr/lib/libsasl.so.7 (0×4001e000)
libssl.so.2 => /lib/libssl.so.2 (0×4002a000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0×40057000)
libdb-3.2.so => /lib/libdb-3.2.so (0×4011a000)
libnsl.so.1 => /lib/libnsl.so.1 (0×401c1000)
libresolv.so.2 => /lib/libresolv.so.2 (0×401d7000)
libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0×401ea000)
libc.so.6 => /lib/i686/libc.so.6 (0×401f1000)
libdl.so.2 => /lib/libdl.so.2 (0×4032c000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0×40330000)
libpam.so.0 => /lib/libpam.so.0 (0×4035d000)
libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0×40365000)
libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0×40378000)
libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0×403d1000)
libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0×403e2000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0×40000000)
The smtpd daemon supports TLS. If you cannot find the libssl in the output you either built Postfix with static libraries or building Postfix with TLS didn’t work. In this case you’ll have to reconfigure your Postfix SOURCE, recompile or rebuild it, backup the data in /etc/postfix/ and reinstall the newly compiled Postfix binaries.
Next we will check if we can initiate a TLS session. We telnet to the server and check, if the string STARTTLS shows up when Postfix advertises it’s capabilities. Then we simply type in STARTTLS and wait for Postfix to respond that it is ready to start TLS. This is how our successful telnet session should look like:
telnet mail.example.co.tz 25
S: 220 mail.example.co.tz ESMTP Postfix (1.1.5)
C: EHLO example.co.tz
S: 250-mail.example.co.tz
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-STARTTLS – -TLS support
S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
S: 250-XVERP
S: 250 8BITMIME
C: STARTTLS
S: 220 Ready to start TLS
First we will verify that we are able to send mail on localhost to user test. This is the simpliest testcase that we have. If we succeed we will move on sending mails to test from a Mail client that does not run on our Postfix server.
mail hoboka@example.co.tz
Subject: Test from localhost
Test #1
.
Cc:
[root@example.co.tz]#
Telnet to pop3 to view if postfix delivered your mail:
telnet example.co.tz pop3
Trying 192.168.49.81…
Connected to mail.example.co.tz (192.168.49.81).
Escape character is ‘^]’.
+OK Dovecot ready.
user hoboka@imesh.co.tz
+OK
pass mwamaLis
+OK Logged in.
list
+OK 1 messages:
1 429
.
retr 1
+OK 429 octets
Return-Path:
X-Original-To: user@mail.example.co.tz
Delivered-To: hoboka@example.co.tz
Received: by mail.example.co.tz (Postfix, from userid 500)
id 74408C0AC6; Thu, 19 Jun 2008 10:47:52 +0300 (EAT)
To: hoboka@example.co.tz
Subject: Test from local
Message-Id: <20080619074752.74408c0ac6@mail.example.co.tz>
Date: Thu, 19 Jun 2008 10:47:52 +0300 (EAT)
From: user@mail.example.co.tz (User)
Test #1
.
]^
[user@example.co.tz]$
View Appendix B for further testing test cases.
Finally fire-up the browser and go to http://mail.example.co.tz and enter the username and password and then click on Login. And enjoy playing with your mailserver.
PhpMyAdmin is a utility written in PHP which is intended to aid in the administration of a MySQL server, either locally, or over the WWW. It is maintained through the hard work and dedication of the folks at the phpMyAdmin project, and is currently available in 47 different languages.
Download and extract phpMyAdmin package. Let’s move the file to where we need it and change the name to something easier;
mv phpMyAdmin-2.11.6-english /var/www/html/phpadmin
Change directory to phpadmin root directory:
cd phpadmin/
Now, what we need to do is rename and edit the config.sample.inc.php file so it works with your setup.
cp -p config.sample.inc.php config.inc.php
So using vi, or whatever your favorite editor happens to be, open config.inc.php, find the following lines, and edit them as appropriate for your setup;
vi config.inc.php
Edit the following lines:
Enter this line with a password like word or phrase; example:
$cfg['blowfish_secret'] = 'bongo';$cfg['Servers'][$i]['controluser'] = 'pma'; --MySQL username$cfg['Servers'][$i]['controlpass'] = 'pmapass'; --MySQL password
Save and exit the file.
Create a virual alias in /etc/httpd/conf/httpd.conf by appending the following lines.
vi /etc/httpd/conf/httpd.conf
Alias /phpadmin /var/www/html/phpadminOrder allow,deny Allow from all
After this fire up a browser and enter http://127.0.0.1/phpadmin in the address bar. Enter the user name and password and start using it. Enjoy using phpMyAdmin for creating users, domain and aliases.
Options that Postfix needs in its Makefile are defined in environment variables such as CCARGS.
CCARGS: Provides additional arguments to the compiler. If your compiler allows special options or your supporting files are not located in default directories, indicate those options with this variable. The standard location for header files is the /usr/include directory. If your header files are located somewhere else, you have to tell the compiler where to look for them. The -I compiler option is used to specify additional directories where the compiler might find header files.
CCARGS=’-I/usr/local/include/’
Use additional -I options for each additional directory the compiler should search.
Postfix uses conditional compilation during its build, depending on which libraries or other resources are available on your system. It defines certain macros based on what it discovers about your system or based on options you have selected. The -D option provides a way to define macros at the time you compile Postfix. Add-on packages for Postfix require that you define a particular macro to tell Postfix to include it when building.
For example, if you want to include support for MySQL, you define the HAS_MYSQL macro:
CCARGS=’-DHAS_MYSQL’
Linker options are set in the AUXLIBS variable. After Postfix has compiled the object files, it links them together with required libraries into executable files. The standard location for system libraries is /usr/lib. To tell the linker to search additional directories for libraries, use the -L option:
AUXLIBS=’-L/usr/local/lib’
You must also tell the linker which specific libraries to link in. The -l option is used to name specific libraries. The library files must be in a standard location or a directory indicated with the -L option. Library archive files are named starting with lib, followed by their name, followed by the extension, which is normally .a for static libraries and .so or .sl for shared objects or shared libraries. When you use the -l option, you leave off the initial lib and the extension of the library file. To link with the MySQL client library for example, where the library file is called libmysqlclient.a, the -l option is specified as follows:
AUXLIBS=’-L/usr/local/lib -lmysqlclient
We telnet mail.example.co.tz 25. From a remote machine, telnet to 192.168.49.81 port 25. On a successful connection, postfix will come up and greats us with its smtpd banner. (If you fail to connect, check your firewall tables rules or if postfix is running.) Once connected, run the following commands.
(S: = server, C: = client):
S: 220 mail.example.co.tz ESMTP Postfix
C: EHLO example.co.tz
S: 250-mail.example.co.tz
S: 250-PIPELINING
S: 250-SIZE 10240000
S: 250-VRFY
S: 250-ETRN
S: 250-XVERP
S: 250 8BITMIME
C: mail from:
S: 250 Ok
C: rcpt to:
S: 250 Ok
C: data
S: 354 End data with
C: Testmail relaying mail from noah@domain.co.tz to hoboka@example.co.tz
C: Test #3
C: .
S: 250 Ok: queued as 84BA64078A
C: quit
S: 221 Bye
This tutorial will walk you through setting up Shorewall (Shoreline) 4.0 firewall on CentOS 5.1 , this can easily be adapted to any other Linux distribution out there.
The Shoreline Firewall, more commonly known as “Shorewall”, is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter’s ipchains compatibility mode and can thus take advantage of Netfilter’s connection state tracking capabilities. http://www.shorewall.net/
Important Note: Before installing shorewall we need to uninstall ipchains if you installed in your machine.
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-4.0.11-2.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-perl-4.0.11-2.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-shell-4.0.11-2.noarch.rpm
You can check download section in shorewall official web site for newer versions. http://www.shorewall.net/download.htm
Installing shorewall is quite easy. Just open a terminal and do a
rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm
and you’re all ready. Don’t close your terminal, because we will need it some more.
The program will not start unless you change the shorewall configuration file /etc/shorewall/shorewall.conf .You can do this in following way:
vim /etc/shorewall/shorewall.conf
Change the first line from
STARTUP_ENABLED=No
to
STARTUP_ENABLED=Yes
Save and exit (in VIM, hit [ESC] and then ‘:wq’).
If you want to configure shorewall you need to copy the sample configuration file from /usr/share/doc/shorewall-4.0.11/Samples/. In Samples directory there are 3 different directories : one-interface/,two-interfaces/ and three-interfaces/. Depending on your network,you can do this by the following command:
cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
or
cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
or
cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/
Now you have configuration files located in /etc/shorewall.
Open and edit the file /etc/shorewall/zones to specify the different network zones, these are just labels that you will use in the other files.
vim /etc/shorewall/zones
Consider the Internet(net) as one zone, and a private network(dmz) as another zone.The firewall zone or “fw” is your linux box itself. If you have these then the zones file would look like this:
#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS#fw firewallnet ipv4loc ipv4dmz ipv4#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
The next file to edit is the interfaces file to specify the interfaces on your machine.
vim /etc/shorewall/interfaces
Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface (“detect” will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point.
#ZONE INTERFACE BROADCAST OPTIONSnet eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartiansloc eth1 detect tcpflags,nosmurfsdmz eth2 detect#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy.
vim /etc/shorewall/policy
An example policy (based on the zones and interfaces we used above) would be:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST## Policies for traffic originating from the local LAN (loc)## If you want to force clients to access the Internet via a proxy server# in your DMZ, change the following policy to REJECT info.loc net ACCEPT# If you want open access to DMZ from loc, change the following policy# to ACCEPT. (If you chose not to do this, you will need to add a rule# for each service in the rules file.)loc dmz REJECT infoloc $FW REJECT infoloc all REJECT info## Policies for traffic originating from the firewall ($FW)## If you want open access to the Internet from your firewall, change the# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.$FW net REJECT info$FW dmz REJECT info$FW loc REJECT info$FW all REJECT info## Policies for traffic originating from the De-Militarized Zone (dmz)## If you want open access from DMZ to the Internet change the following# policy to ACCEPT. This may be useful if you run a proxy server in# your DMZ.dmz net REJECT infodmz $FW REJECT infodmz loc REJECT infodmz all REJECT info## Policies for traffic originating from the Internet zone (net)#net dmz DROP infonet $FW DROP infonet loc DROP infonet all DROP info# THE FOLLOWING POLICY MUST BE LASTall all REJECT info#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply.
Note: This is only for new connections, existing connections are automatically accepted.
The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:
vim /etc/shorewall/rules
An example would be:
##############################################################################################################ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK# PORT PORT(S) DEST LIMIT GROUP## Accept DNS connections from the firewall to the Internet#DNS/ACCEPT $FW net### Accept SSH connections from the local network to the firewall and DMZ#SSH/ACCEPT loc $FWSSH/ACCEPT loc dmz## DMZ DNS access to the Internet#DNS/ACCEPT dmz net## Drop Ping from the "bad" net zone.#Ping/DROP net $FW## Make ping work bi-directionally between the dmz, net, Firewall and local zone# (assumes that the loc-> net policy is ACCEPT).#Ping/ACCEPT loc $FWPing/ACCEPT dmz $FWPing/ACCEPT loc dmzPing/ACCEPT dmz locPing/ACCEPT dmz netACCEPT $FW net icmpACCEPT $FW loc icmpACCEPT $FW dmz icmp# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from# the net zone to the dmz and loc#Ping/ACCEPT net dmz#Ping/ACCEPT net loc#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Well we are done, let’s fire up the services and begin testing.
service shorewall start
We have a webmin interface for shorewall to configure through GUI. You can download from http://www.webmin.com/download/modules/shorewall.wbm.gz.
Have fun!
First we configure SMTP-AUTH and TLS. For this edit /usr/lib/sasl2/smtpd.conf with your favorite editor.
vi /usr/lib/sasl2/smtpd.conf
and make changes as given below.
pwcheck_method: saslauthdmech_list: plain login
Create directories, then private key and lastly the certificate.
mkdir -p /etc/postfix/ssl/mailserver
cd /etc/postfix/ssl/mailserver
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Private keys and certificates have been created. Later on we will tell postfix to use them.
We will now create a database named mail, for this we will issue commands given below;
mysql -u root -p
Enter the password and you will be at the MySQL prompt (mysql>).
CREATE DATABASE mail;
Give all privileges on mail to user mail.
GRANT ALL PRIVILEGES ON mail.* TO ‘mail’@'localhost’ IDENTIFIED BY ‘mail’;
FLUSH PRIVILEGES;
quit
Set password for mail user. This will be done by the following statement.
mysqladmin -u mail password newpassword
Then we will create the necessary tables for our new database (mail) that contains domains, users, aliases and mailboxes information.
mysql -u mail -p
After giving the password you will be at the MySQL prompt.
show databases;
It will show all databases, including our “mail” database. We will use “mail”.
USE mail;
1. Create the domain table.
CREATE TABLE domain ( domain varchar(255) NOT NULL default ”, description varchar(255) NOT NULL default ”, aliases int(10) NOT NULL default ‘0′, mailboxes int(10) NOT NULL default ‘0′, maxquota int(10) NOT NULL default ‘0′, transport varchar(255) default NULL, backupmx tinyint(1) NOT NULL default ‘0′, created datetime NOT NULL default ‘0000-00-00 00:00:00′, modified datetime NOT NULL default ‘0000-00-00 00:00:00′, active tinyint(1) NOT NULL default ‘1′, PRIMARY KEY (domain), KEY domain (domain) ) TYPE=MyISAM COMMENT=’ Virtual Domains’;
2. Second most important table is mailbox, so create mailbox.
CREATE TABLE mailbox ( username varchar(255) NOT NULL default ”, password varchar(255) NOT NULL default ”, name varchar(255) NOT NULL default ”, maildir varchar(255) NOT NULL default ”, quota int(10) NOT NULL default ‘0′, domain varchar(255) NOT NULL default ”, created datetime NOT NULL default ‘0000-00-00 00:00:00′, modified datetime NOT NULL default ‘0000-00-00 00:00:00′, active tinyint(1) NOT NULL default ‘1′, PRIMARY KEY (username), KEY username (username) ) TYPE=MyISAM COMMENT=’Virtual Mailboxes’;
3. Create the alias table.
CREATE TABLE alias ( address varchar(255) NOT NULL default ”, goto text NOT NULL, domain varchar(255) NOT NULL default ”, created datetime NOT NULL default ‘0000-00-00 00:00:00′, modified datetime NOT NULL default ‘0000-00-00 00:00:00′, active tinyint(1) NOT NULL default ‘1′, PRIMARY KEY (address), KEY address (address) ) TYPE=MyISAM COMMENT=’Virtual Aliases’;
We have created the necessary tables, so quit MySQL.
quit
Postfix needs to know where and how it can look up all mailbox related information. For this purpose we will create the following files under /etc/postfix. Recent versions of Postfix may use that instead of the other statements, and in that case, just comment all lines out, and un-comment the last one.
1. Create file mysql_virtual_alias_maps.cf for forwarding emails from one email address to another.
vi /etc/postfix/mysql_virtual_alias_maps.cf
user = mailpassword = mailhosts = localhostdbname = mailtable = aliasselect_field = gotowhere_field = addressadditional_conditions = and active = '1'#query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
2. Create file mysql_virtual_domains_maps.cf, for the virtual domains mapping. Virtual domains are queried using information provided in this file.
vi /etc/postfix/mysql_virtual_domains_maps.cf
user = mailpassword = mailhosts = localhostdbname = mailtable = domainselect_field = domainwhere_field = domainadditional_conditions = and backupmx = '0' and active = '1'#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
3. Create the file mysql_virtual_mailbox_maps.cf. Which is usually the mapping of email addresses to the location of the user’s mailbox on your hard disk. If you saved incoming email to the hard disk using Postfix’ built-in virtual delivery agent then it would be queried to find out the mailbox path.
vi /etc/postfix/mysql_virtual_mailbox_maps.cf
user = mailpassword = mailhosts = localhostdbname = mailtable = mailboxselect_field = CONCAT(domain,'/',maildir)where_field = usernameadditional_conditions = and active = '1'#query = SELECT CONCAT(domain,'/',maildir) FROM mailbox WHERE username='%s' AND active = '1'
4. Lastly create file mysql_virtual_mailbox_limit_maps.cf which will be used for mapping users mailboxes quota limit.
vi /etc/postfix/mysql_virtual_mailbox_limit_maps.cf
user = mailpassword = mailhosts = localhostdbname = mailtable = mailboxselect_field = quotawhere_field = usernameadditional_conditions = and active = '1'#query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'
5. Give the mysql_virtual files appropriate ownership and permission.
chown root:postfix *.cf
chmod 644 *.cf
In the Postfix configuration section we will edit the main.cf file located in configuration directory of postfix (/etc/postfix), to enter some basic information necessary for Postfix.
mv /etc/postfix/main.cf /etc/postfix/main.cf.orig
vi /etc/postfix/main.cf
############## Postfix################Date Modified 17th June 2008#-------------------------------------------------------smtpd_banner = $myhostnamebiff = noappend_dot_mydomain = norelayhost =mynetworks = 192.168.49.0/24inet_interfaces = 192.168.49.81mailbox_size_limit = 0recipient_delimiter = +alias_database = hash:/etc/postfix/aliasesalias_maps = $alias_databasemyhostname = example.co.tzmydomain = rndmyorigin = $myhostnamemydestination = $myhostname, localhost.$mydomain, $transport_mapsmail_spool_directory = /var/spool/maildebug_peer_level = 2debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5disable_vrfy_command = noreadme_directory = /usr/share/doc/postfix-2.2.10/README_FILESsample_directory = /usr/share/doc/postfix-2.2.10/samplessendmail_path = /usr/sbin/sendmailhtml_directory = nosetgid_group = postdropcommand_directory = /usr/sbinmanpage_directory = /usr/share/mandaemon_directory = /usr/libexec/postfixnewaliases_path = /usr/bin/newaliasesmailq_path = /usr/bin/mailqqueue_directory = /var/spool/postfixmail_owner = postfixunknown_local_recipient_reject_code = 450####################postfix section ends here###############
Again we will edit main.cf file to add support for virtual users. The “virtual_minimum_uid” and “virtual_uid_maps” point to user id 150 in my case, which is a user I created specifically for handling virtual mail. It uses the standard “mail” group with the default gid 12. So first create the user by issuing the useradd command or adduser.
useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin -c “Virtual mailbox” vmail
chmod 770 /var/vmail/ (create the directory if doesn’t exit)
chown vmail:mail /var/vmail
vi /etc/postfix/main.cf
#######################Virtual Domains Users and mailboxes###############virtual_mailbox_domains = mysql:$config_directory/mysql_virtual_domains_maps.cfvirtual_mailbox_base = /var/vmailvirtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cfvirtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cfvirtual_minimum_uid = 150virtual_uid_maps = static:150virtual_gid_maps = static:12##############################Virtual section of main.cf ends##############
Finally we will again edit main.cf file to enable SASL/TLS authentication. Previously we created some certificates, we will use them here to secure mail server.
vi /etc/postfix.main.cf
#################### SASL/TLS Authentication#################################SASL PART#########smtpd_sasl_auth_enable = yessmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_sasl_local_domain =smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination######TLS PART###########smptpd_tls_cert_file = /etc/postfix/ssl/mailserver/smtpd.crtsmtpd_tls_key_file = /etc/postfix/ssl/mailserver/smtpd.keysmtpd_tls_CAfile = /etc/postfix/ssl/mailserver/cacert.pemsmtp_tls_auth_only = nosmtp_use_tls = yessmtpd_use_tls = yessmtpd_tls_received_header = nosmtp_tls_note_starttls_offer = yessmtpd_tls_loglevel = 1tls_random_source = dev:/dev/urandomsmtpd_tls_session_cache_timeout = 3600ssmtpd_tls_recieved_header = yes###########################SASL/TLS Authentication ends here#############
For my convenience I have divided main.cf in three sections { Postfix, virtual-Domains-Users-and-mailboxes, SASL/TLS-Authentication}. SASL/TLS-Authentication is further divided into ( SASL-PART and TLS-PART). To show you each section and their parameters I have edited the same file thrice. Now copy the /etc/aliases and /etc/aliases.db to /etc/postfix/ and run newaliases.
cp /etc/aliases* /etc/postfix/
newaliases
Let us configure Dovecot which provides both a POP3 and an IMAP service. The configuration file for Dovecot is /etc/dovecot.conf. We’ll back up the original file to dovecot.conf.orig, and amend the running file to our needs. To handle virtual users with dovecot we will create the file /etc/dovecot-mysql.conf.
vi /etc/dovecot-mysql.conf
######dovecot-mysql.conf should look like this########### NOTE: '\' line splitting is used only for readability, currently Dovecot doesn't support it# The mysqld.sock socket may be in different locations in different systemsdriver = mysqldefault_pass_scheme = plain#connect = host=/var/run/mysqld/mysqld.sock dbname=mail user=root password=default# Alternatively you can connect to localhost as well:connect = host=localhost dbname=mail user=mail password=mailpassword_query = SELECT password FROM mailbox WHERE username = '%u'user_query = SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, 150 AS uid, 12 AS gid, concat('dirsize:storage=',quota) AS quota FROM mailbox WHERE username ='%u' AND active ='1'####################ends here####################Now moving to configure dovecot.conf, to authenticate virtual user using mysql_auth method. Keep this thing in mind that normal Linux users can’t login to mail-server. Because we haven’t enabled Pam-authentication method in our dovecot configuration. Also first_valid_uid and last_valid_uid are set to 150, which means only the user with uid 150 will be able to log in. Pop3 and pop3s protocols are made available.
cp -p /etc/dovecot.conf /etc/dovecot.conf.orig
vi /etc/dovecot.conf
(Only edit the following lines)
##############dovecot configured to work with virtual users############base_dir = /var/run/dovecot/protocols = imap pop3 imaps pop3slisten = [::]login_dir = /var/run/dovecot-loginmail_location = mbox:/var/vmail/%d/%nmbox_read_locks = fcntllog_timestamp = "%Y-%m-%d %H:%M:%S "log_path = /var/log/maillogmail_extra_groups = mailfirst_valid_uid = 150last_valid_uid = 150maildir_copy_with_hardlinks = yesuserdb sql {args = /etc/dovecot-mysql.conf}passdb sql {args = /etc/dovecot-mysql.conf}####################################ends here######################After this we will set the ownership and access rights on /etc/dovecot-mysql.conf.
chmod 600 /etc/dovecot/*.conf
chown vmail /etc/dovecot/*.conf
Based on INSTALLATION NOTES (Roundcube)
1. Decompress and put this folder somewhere inside your document root (/var/www/html/mail)
2. Make sure that the following directories (and the files within) are writable by the webserver
- /temp
- /logs
3. Create a new database and a database user for RoundCube (see DATABASE SETUP)
4. Point your browser to http://url-to-roundcube/installer/
5. Follow the instructions of the install script (or see MANUAL CONFINGURATION)
6. After creating and testing the configuration, remove the installer directory
7. Done!
DATABASE SETUP
* MySQL 4.1.x/5.x
For MySQL version 4.1 and up, it’s recommended to create the database for RoundCube with utf-8 charset. Here’s an example of the init procedure:
mysql -u root -p
CREATE DATABASE roundcubemail DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY ‘password’;
quit
mysql -u mail -p roundcubemail <>
Note: ‘password’ is the master password for the roundcube user. It is strongly recommended you replace this with a more secure password. Please keep in mind: You need to specify this password later in ‘config/db.inc.php’.
To start using the mailserver web front end we will edit file /etc/httpd/conf/httpd.conf.
vi /etc/httpd/conf/httpd.conf
And append the statements given below to it.
#Front end mail access using roundcube DocumentRoot /var/www/html/mail ServerName mail.example.co.tz
Save the configuration and exit.
1. Now we will create virtual domains and virtual users in our mail database.
mysql -u mail -p
2. Enter the password and you will be at the mysql> prompt.
USE mail;
3. First create a virtual domain in the domain table (example.co.tz) using the command given below.
INSERT INTO domain (domain,description,aliases,mailboxes,maxquota,transport,backupmx,active) VALUES (‘example.co.tz’,'Virtual domain’,'10′,’10′, ‘0′,’virtual’, ‘0′,’1′);
4. Now create two virtual users in the mailbox table. I have created (kiiza@example.co.tz & hoboka@example.co.tz) as usernames for kiiza and hoboka.
INSERT INTO mailbox (username,password,name,maildir,quota,domain,active) VALUES (‘hoboka@example.co.tz’,'mwamaLis’, ‘Hoboka Mwamakunge ‘,’hoboka/’, ‘0′,’example.co.tz’,'1′);
INSERT INTO mailbox (username,password,name,maildir,quota,domain,active) VALUES (‘kiiza@example.co.tz’,'gekman’, ‘Kiiza Mutungi’,'kiiza/’, ‘0′,’example.co.tz’,'1′);
quit
Now that we have created virtual users and virtual domain, we want to test our mail server by logging in and sending mail from one user account to another. So let’s start Dovecot, Postfix, MySQL and webserver daemons. Also we want that they should start themselves on next reboot. For this we issue following commands.
chkconfig -level 235 mysqld on
chkconfig -level 235 saslauthd on
chkconfig -level 235 postfix on
chkconfig -level 235 dovecot on
chkconfig -level 235 httpd on
/etc/init.d/saslauthd start
/etc/init.d/mysqld start
/etc/init.d/postfix start
/etc/init.d/dovecot start
/etc/init.d/httpd start
iSCSI is a Storage Area Network protocol allowing shared storage going through an exising network infrastructure. In my setup, I used iscsitarget from http://iscsitarget.sourceforge.net.
1.a compiling the iscsi application tarball
This needs to be done on the physical host.
cd /usr/local/src
tar xvf iscsitarget-0.4.16.tar.gz
cd iscsitarget-0.4.16
make
make install
1.b configuration needed
This is my ietd.conf configuration defining the “LUNs” to be allocated to the guests from the physical host’s disks:
#/etc/ietd.conf# NOTE: the config files has more entries than what i'm showing here.# but i've commented out the original entries and made the followingTarget iqn.2008-07.NODE00:LUN01.NODE00 MaxConnections 2 Lun 1 Path=/dev/Virtual00VG/lvLUN01,Type=fileio Alias LUN01Target iqn.2008-07.NODE00:LUN02.NODE00 MaxConnections 2 Lun 2 Path=/dev/Virtual00VG/lvLUN02,Type=fileio Alias LUN02# end of ietd.conf
In my physical host system, I have created two logical volumes 50G each in size. You can also use files or disk partitions, just change the Path entries in the ietd.conf file.
1.c ACL
iscsitarget has /etc/initiators.allow and /etc/initiators.deny that work like hosts.allow and hosts.deny. In my setup, I will allow node01 and node02 to access the two LUNs defined in ietd.conf.
#/etc/initiators.allow#this should correspond to the definition in your /etc/ietd.confiqn.2008-07.NODE00:LUN01.NODE00 192.168.100.10, 192.168.100.20iqn.2008-07.NODE00:LUN02.NODE00 192.168.100.10, 192.168.100.20# endof initiators.allow
service iscsi-target start
chkconfig –add iscsi-target
chkconfig iscsi-target on
chkconfig –list iscsi-target
iscsi-target 0:off 1:off 2:on 3:on 4:on 5:on 6:off
The package iscsi-initiator-utils-6.2.0.865-0.8.el5 should already be installed (as it is included in the kickstart file above).
2.a configuration
#/etc/iscsi/initiatorname.iscsiInitiatorName=iqn.2008-07.NODE00:LUN01.NODE00InitiatorName=iqn.2008-07.NODE00:LUN02.NODE00# end of #/etc/iscsi/initiatorname.iscsi
service iscsid start
Turning off network shutdown. Starting iSCSI daemon: [ OK ]
iscsiadm -m discovery -t st -p node00
192.168.222.1:3260,1 iqn.2008-07.NODE00:LUN01.NODE00
192.168.222.1:3260,1 iqn.2008-07.NODE00:LUN02.NODE00
service iscsi start
will then show the following:
iscsid (pid 964 963) is running... Setting up iSCSI targets: Login session [iface: default, target: \ iqn.2008-07.NODE00:LUN02.NODE00, portal: 192.168.222.1,3260] Login session [iface: default, target: iqn.2008-07.NODE00:LUN01.\ NODE00, portal: 192.168.222.1,3260] [ OK ]
dmesg
scsi0 : iSCSI Initiator over TCP/IP Vendor: IET Model: VIRTUAL-DISK Rev: 0 Type: Direct-Access ANSI SCSI revision: 04 scsi 0:0:0:2: Attached scsi generic sg0 type 0 SCSI device sda: 104857600 512-byte hdwr sectors (53687 MB) sda: Write Protect is off sda: Mode Sense: 77 00 00 08 SCSI device sda: drive cache: write through SCSI device sda: 104857600 512-byte hdwr sectors (53687 MB) sda: Write Protect is off sda: Mode Sense: 77 00 00 08 SCSI device sda: drive cache: write through sda: unknown partition table sd 0:0:0:2: Attached scsi disk sda scsi1 : iSCSI Initiator over TCP/IP Vendor: IET Model: VIRTUAL-DISK Rev: 0 Type: Direct-Access ANSI SCSI revision: 04 SCSI device sdb: 104857600 512-byte hdwr sectors (53687 MB) sdb: Write Protect is off sdb: Mode Sense: 77 00 00 08 SCSI device sdb: drive cache: write through SCSI device sdb: 104857600 512-byte hdwr sectors (53687 MB) sdb: Write Protect is off sdb: Mode Sense: 77 00 00 08 SCSI device sdb: drive cache: write through sdb: unknown partition table sd 1:0:0:1: Attached scsi disk sdb sd 1:0:0:1: Attached scsi generic sg1 type 0
I now have sda and sdb, each with 53687 MB in size (results for your setup may be different.
fdisk -l
Disk /dev/xvda: 32.2 GB, 32212254720 bytes 255 heads, 63 sectors/track, 3916 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/xvda1 * 1 13 104391 83 Linux /dev/xvda2 14 3916 31350847+ 8e Linux LVM Disk /dev/sda: 53.6 GB, 53687091200 bytes 64 heads, 32 sectors/track, 51200 cylinders Units = cylinders of 2048 * 512 = 1048576 bytes Disk /dev/sda doesn't contain a valid partition table Disk /dev/sdb: 53.6 GB, 53687091200 bytes 64 heads, 32 sectors/track, 51200 cylinders Units = cylinders of 2048 * 512 = 1048576 bytes Disk /dev/sdb doesn't contain a valid partition table
Now do the same for node02. Once the disks are seen by both guests, you can then start setting up a two-node cluster. I’ve used this configuration to test a two-node Oracle 10gR2 RAC setup with shared ASM storage and OCFS2 on a 64-bit system.
This kind of setup will help you to learn the basics of clustering without the need of acquiring additional hardware. In no way can this setup be used in a “live” environment. Once you have familiarized yourself with the concept of how a cluster is prepared, you can apply the concept when building real, physical setups that you need for your organization. I hope you’ll find this useful.
Contributed By Eliufoo C. Mahinda
Emancipate yourself from mental slavery;
None but ourselves can free our minds.
-Redemption Song -Bob Marley
Acknowledgement To:
Babaraleem, the original author of How To configure ISP Mail Server With Virtual Users/Domain On Centos 4.5 Using Postifix, Dovecot, MySQL, phpMyAdmin, TLS/SSL.
url: http://www.howtoforge.com/virtual-users-and-domains-postfix-dovecot-mysql-centos4.5
I decided to update and add extra information on a tutorial I found online by Babaraleem to further assist Postfix newbie’s. I experienced a difficult time following up on an out of date howto, when setting up my own mail server. I spent a long time troubleshooting, googling and reading other tutorials and documentation on postfix. The final results is this howto.
You may find out that most tutorials/howto’s found online contain very limited information on how to verity and test your server configuration, you will have to look for another documentation to know how to test your server. I hope the information gathered in this howto will be helpful.
This howto will explain how to go about setting up an email server on Centos 5 using Postfix, Dovecot, RoundCube, Virtual Users/Domain and phpAdmin. I have also done a similar setup on Fedora Core 6. My best advice is to set this up first on a workstation and test it thoroughly before setting up on a server and going live with it!
This howto does not go into much detail, if you are looking for a full explanation of what is going on then read the documentation for each program. This is merely a step by step guide to get you up and running. You may use apt / yum to install software.
The content of this howto is broken down in three phases, compiling/installation, configuring and verifying your configuration.
1. Hostname mail.example.co.tz with IP address (192.168.49.81) to eth0. (You can assign an IP address and hostname of your choice.)
2. Create an alias eth0:0. Assign IP address (192.168.49.81). (You can assign an IP address of your choice.)
3. Make entries of your hostname and IP in /etc/hosts . In my case my /etc/hosts file shows
127.0.0.1 localhost.localdomain localhost192.168.49.80 dns.example.co.tz dns
rpm -qa | grep cyrus
cyrus-sasl-sql-2.1.22-4
cyrus-sasl-2.1.22-4
cyrus-sasl-devel-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-ldap-2.1.22-4
cyrus-sasl-plain-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
cyrus-sasl-lib-2.1.22-4
We need at least the following packages installed in order to make Cyrus-SASL and Postfix work and Postfix get what it needs to when it has to compile with SASL support:
cyrus-sasl-2.1.22-4
cyrus-sasl-authd-2.1.22-4
cyrus-sasl-devel-2.1.22-4
Then you have to choose at least one of the following mechanisms to use when authenticating users:
cyrus-sasl-gssapi-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-plain-2.1.22-4
Description:
TLS (formerly SSL) stands for Transport Layer Security. Once this layer is established, it encrypts the communication between two hosts. If we use SMTP AUTH and the mechanisms PLAIN or LOGIN usernames and passwords are sent plaintext over the internet. This means that anyone could sniff the communication and read the passwords. If you don’t want this – which I’m sure you don’t – you can use TLS to help.
yum install -y openssl openssl-devel mod_ssl
Verify the required packages are installed.
rpm -qa | grep openssl
openssl097a-0.9.7a-9
openssl-0.9.8b-15.fc6
mod_ssl-2.2.6-1.fc6
openssl-perl-0.9.8b-15.fc6
openssl-devel-0.9.8b-15.fc6
If you install postfix before dovecot, then dovecot will not be installed on your system because of packages conflicts.
Description:
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. This will install dovecot along with dependencies (mysql and postgresql).
yum install -y dovecot
Description: I am assuming you already know what postfix is hence, won’t explain what it is.
Unzipping postfix:
tar zxvf postfix-2.5.2.tar.gz
Change directory to postfix root directory:
cd postfix-2.5.2/
Compiling postfix with MySQL, TLS, SASL support:
NOTE: You need to have db4-packages installed.
make makefiles \
CCARGS=’-DUSE_SASL_AUTH -DHAS_SSL -DHAS_MYSQL -DHAS_LDAP -DUSE_CYRUS \
-I/usr/include/sasl -I/usr/include/openssl \
-I/usr/include/mysql -I/usr/include’ \
AUXLIBS=’-L/usr/lib -L/usr/lib/openssl/engines \
-L/usr/lib/mysql -L/usr/lib \
-lsasl2 -lcrypto -lssl -lmysqlclient -lz -lm -lldap -llber \
-Wl,-rpath /usr/lib/mysql -Wl,-rpath /usr/lib \
-Wl,-rpath /usr/lib/openssl/engines’
make install
NOTE: See Appendix A for further explanation on complier arguments.
We will verify if features were compiled with postfix shortly.
192.168.49.81 mail.example.co.tz mail
We need the following packages to be installed: Cyrus-sasl for SMTP AUTH
Description: The basic SMTP protocol does not provide a mechanism to authenticate users. Since email envelope addresses are so easy to fake, you can’t know who is sending mail to your server unless you have a reliable means to authenticate clients. To allow mail relay privileges on your server, you need assurance that senders are who they claim to be, and you cannot rely on the senders’ email addresses as identification. In this section, we look at installing and verify packpages for the Simple Authentication and Security Layer (SASL) as a means to control mail relaying and generally to identify who is using your mail server.
yum -y install cyrus*
Below packages will be installed.
As root, run
virt-manager
The Virtual Machine Manager window should appear. You’ll see Domain-0 and the resources it is using.
1.a to create the virtual network:
Network Name: public1
IPV4 network:
Network: 192.168.222.0/24
Gateway: 192.168.222.1
Netmask: 255.255.255.0
DHCP
Start address: 192.168.222.128
End address : 192.168.222.254
Forwarding:
Connectivity: Isolated virtual network
You’ll go back to the Host Details window and the public1 entry will appear. Now to the same steps for network private1 with the following settings:
Network Name: private1
IPV4 network:
Network: 192.168.100.0/24
Gateway: 192.168.100.1
Netmask: 255.255.255.0
DHCP
Start address: 192.168.100.128
End address : 192.168.100.254
Forwarding:
Connectivity: Isolated virtual network
When you are done, in the Host Details window, click on “File > Close” to go back to the Virtual Machine Manager Window. Then click on “File > Quit”. NOTE: Don’t leave the Virtual Manager window running if you are not going to use it. It will eat up a lot of memory. If this happens, you need to restart Xen.
Once done, vnet0 and vnet1 can be seen when you run
ifconfig
vnet0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.222.1 Bcast:192.168.222.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:28 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:7782 (7.5 KiB) vnet1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:27 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:7712 (7.5 KiB)
I’m providing the kickstart file for node01 that you can also use for node02. You just need to mofiy the IP addresses and hostname entries.
2.a for node01
#START of node01_ks.cfginstalltextreboot#uncomment the line you want to use# for nfsnfs --server=192.168.222.1 --dir=/var/ftp/pub/centos5u1##url --url ftp://: @ / # this will be an anonymous ftp access#url --url ftp://192.168.222.1/pub/centos5u1/i386#key --skiplang en_US.UTF-8keyboard usskipx# privatenetwork --device eth1 --bootproto static --ip 192.168.100.10 --netmask 255.255.255.0# public - disabled on initial installnetwork --device eth0 --bootproto static --ip 192.168.222.10 --netmask 255.255.255.0 --gateway 192.168.222.1 --nameserver 192.168.222.1 --hostname node01.example.com## password is n0de01passrootpw --iscrypted $1$Lqk1Y$Y8TIWCMLiiPjVt1GjRS0F1## password is n0de02pass#rootpw --iscrypted $1$Rn47b$DDwgrOv3IFGf3HVhsxv9X0firewall --disabledauthconfig --enableshadow --enablemd5selinux --disabledtimezone --utc Asia/Singaporeservices --disabled ipsec,iptables,bluetooth,hplip,firstboot,cups,sendmail,xfsbootloader --location=mbr --driveorder=xvda,xvdb --append="rhgb quiet"clearpart --all --initlabel --drives=xvdapart /boot --fstype ext3 --size=100 --ondisk=xvdapart pv.2 --size=0 --grow --ondisk=xvdavolgroup VolGroup00 --pesize=32768 pv.2logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=1000 --grow --maxsize=1984logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow%packages@development-libs@system-tools@gnome-software-development@text-internet@x-software-development@dns-server@core@authoring-and-publishing@base@ftp-server@network-server@legacy-software-development@java@legacy-software-support@smb-server@base-x@web-server@printing@server-cfg@sql-server@admin-tools@development-toolsemacslsscsignutls-utilshwbrowserauditiptrafmesa-libGLU-develkexec-toolsdevice-mapper-multipathvnc-serverxorg-x11-utilsxorg-x11-server-Xnestxorg-x11-server-Xvfbimakeiscsi-initiator-utilsypserv-sysreport%postcat < > /etc/hosts# private or replace with nodeXY-192.168.100.10 node01-priv192.168.100.20 node02-priv192.168.100.1 node00-priv#public or replace with nodeXY192.168.222.10 node01192.168.222.20 node02192.168.222.1 node00EOT# yum local repomv /etc/yum.repos.d/*.repo /tmpcat > /etc/yum.repos.d/centos5.repo < < EOF[centos5-Server]name=CEntos5 Serverbaseurl=http://node00/centos5u1/i386enabled=1gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5EOF#change default runleveled /etc/inittab < < EOF,s/id:5:initdefault:/id:3:initdefault:/g.wEOF# vncserver stuffcat < <> /opt/vnc_xstartup#!/bin/sh# run vncserver and copy to your $HOME/.vnc/xstartup file# Uncomment the following two lines for normal desktop:# unset SESSION_MANAGER# exec /etc/X11/xinit/xinitrc[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresourcesxsetroot -solid greyvncconfig -iconic &xterm -geometry 130x30+12+12 -ls -bg black -fg green -title "$VNCDESKTOP Desktop" &mwm &EOT# END of nod01_ks.cfg
2.b for node02
Copy the node01_ks.cfg file above to node02_ks.cfg and change the appropriate entries for node02 (hostname and IP addresses).
For the installation, we’ll be invoking it in the CLI, using
virt-install
But first, generate the MAC addresses for the NICS of the virtual systems:
3.a MAC Address generation
We’ll use a python script provided by the Red Hat Virtualization Guide:
#!/usr/bin/python# macgen.py script to generate a MAC address for Red Hat Virtualization guestsimport random#def randomMAC(): mac = [ 0x00, 0x16, 0x3e, random.randint(0x00, 0x7f), random.randint(0x00, 0xff), random.randint(0x00, 0xff) ] return ':'.join(map(lambda x: "%02x" % x, mac))#print randomMAC()# careful with the indention# this is from the Virtualization guide from redhat.com# http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Virtualization/index.html
node01 NICs
# for eth0 . public1
[root@node00 ~]# ./macgen.py
00:16:3e:33:32:07
# for eth1 . private1
[root@ node00 ~]# ./macgen.py
00:16:3e:55:6b:83
Then do the same for node02’s virtual NICs.
3.b virt-install command for node01
virt-install -p -n node01 -r 768 -f /dev/Virtual00VG/lvNODE01 -m 00:16:3e:33:32:07 \
-w network:public1 -m 00:16:3e:55:6b:83 -w network:private1 \
-l nfs:192.168.222.1:/var/ftp/pub/centos5u1/i386 \
-x “ksdevice=eth0 ks=http://192.168.222.1/centos5u1/node01_ks.cfg” –vnc
Parameters:
-n node01 = name of the guest system
-r 768 = amount of RAM in MB
-f /dev/Virtual00VG/lvNODE01 = disk to be used by the guest system (can be an unused partition in your system, like /dev/sda3 or /dev/hda9).
-m 00:16:3e:33:32:07 = mac address for eth0
-w network:public1 = eth0’s network
-m 00:16:3e:55:6b:83 = mac address for eth1
-w network:private1 = eth0’s network
-l nfs:192.168.222.1:/var/ftp/pub/centos5u1/i386 = installation source (not the actual one used during ks install
-x “ksdevice=eth0 ks=http://192.168.222.1/centos5u1/node01_ks.cfg” = kickstart directives. This will use dhcp to startup installation.
–vnc = will launch a gui window for you to view (if you are running virt-install from a vnc session or a gui terminal).
3.c virt-install command for node02
virt-install -p -n node02 -r 768 -f /dev/Virtual00VG/lvNODE02 -m 00:16:3e:1e:05:b6 \
-w network:public1 -m 00:16:3e:40:3d:b0 -w network:private1 \
-l nfs:192.168.222.1:/var/ftp/pub/centos5u1/i386 \
-x “ksdevice=eth0 ks=http://192.168.222.1/centos5u1/node02_ks.cfg” –vnc
I ran the above virt-install inside a vnc session in the physical host so the the guest installation screens automatically appear. You can start it in the physical host’s console and the installation of the guest systems will run in the background. Their installation can be viewed by running virt-manager and then opening the guests.
As root, run
virt-manager
The Virtual Machine Manager window should appear. You’ll see Domain-0 and the resources it is using.
1.a to create the virtual network:
Network Name: public1
IPV4 network:
Network: 192.168.222.0/24
Gateway: 192.168.222.1
Netmask: 255.255.255.0
DHCP
Start address: 192.168.222.128
End address : 192.168.222.254
Forwarding:
Connectivity: Isolated virtual network
You’ll go back to the Host Details window and the public1 entry will appear. Now to the same steps for network private1 with the following settings:
Network Name: private1
IPV4 network:
Network: 192.168.100.0/24
Gateway: 192.168.100.1
Netmask: 255.255.255.0
DHCP
Start address: 192.168.100.128
End address : 192.168.100.254
Forwarding:
Connectivity: Isolated virtual network
When you are done, in the Host Details window, click on “File > Close” to go back to the Virtual Machine Manager Window. Then click on “File > Quit”. NOTE: Don’t leave the Virtual Manager window running if you are not going to use it. It will eat up a lot of memory. If this happens, you need to restart Xen.
Once done, vnet0 and vnet1 can be seen when you run
ifconfig
vnet0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.222.1 Bcast:192.168.222.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:28 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:7782 (7.5 KiB) vnet1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:27 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:7712 (7.5 KiB)
I’m providing the kickstart file for node01 that you can also use for node02. You just need to mofiy the IP addresses and hostname entries.
2.a for node01
#START of node01_ks.cfginstalltextreboot#uncomment the line you want to use# for nfsnfs --server=192.168.222.1 --dir=/var/ftp/pub/centos5u1##url --url ftp://: @ / # this will be an anonymous ftp access#url --url ftp://192.168.222.1/pub/centos5u1/i386#key --skiplang en_US.UTF-8keyboard usskipx# privatenetwork --device eth1 --bootproto static --ip 192.168.100.10 --netmask 255.255.255.0# public - disabled on initial installnetwork --device eth0 --bootproto static --ip 192.168.222.10 --netmask 255.255.255.0 --gateway 192.168.222.1 --nameserver 192.168.222.1 --hostname node01.example.com## password is n0de01passrootpw --iscrypted $1$Lqk1Y$Y8TIWCMLiiPjVt1GjRS0F1## password is n0de02pass#rootpw --iscrypted $1$Rn47b$DDwgrOv3IFGf3HVhsxv9X0firewall --disabledauthconfig --enableshadow --enablemd5selinux --disabledtimezone --utc Asia/Singaporeservices --disabled ipsec,iptables,bluetooth,hplip,firstboot,cups,sendmail,xfsbootloader --location=mbr --driveorder=xvda,xvdb --append="rhgb quiet"clearpart --all --initlabel --drives=xvdapart /boot --fstype ext3 --size=100 --ondisk=xvdapart pv.2 --size=0 --grow --ondisk=xvdavolgroup VolGroup00 --pesize=32768 pv.2logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=1000 --grow --maxsize=1984logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow%packages@development-libs@system-tools@gnome-software-development@text-internet@x-software-development@dns-server@core@authoring-and-publishing@base@ftp-server@network-server@legacy-software-development@java@legacy-software-support@smb-server@base-x@web-server@printing@server-cfg@sql-server@admin-tools@development-toolsemacslsscsignutls-utilshwbrowserauditiptrafmesa-libGLU-develkexec-toolsdevice-mapper-multipathvnc-serverxorg-x11-utilsxorg-x11-server-Xnestxorg-x11-server-Xvfbimakeiscsi-initiator-utilsypserv-sysreport%postcat < > /etc/hosts# private or replace with nodeXY-192.168.100.10 node01-priv192.168.100.20 node02-priv192.168.100.1 node00-priv#public or replace with nodeXY192.168.222.10 node01192.168.222.20 node02192.168.222.1 node00EOT# yum local repomv /etc/yum.repos.d/*.repo /tmpcat > /etc/yum.repos.d/centos5.repo < < name="CEntos5" baseurl="http://node00/centos5u1/i386" enabled="1" gpgcheck="1" gpgkey="file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5"> /opt/vnc_xstartup#!/bin/sh# run vncserver and copy to your $HOME/.vnc/xstartup file# Uncomment the following two lines for normal desktop:# unset SESSION_MANAGER# exec /etc/X11/xinit/xinitrc[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresourcesxsetroot -solid greyvncconfig -iconic &xterm -geometry 130x30+12+12 -ls -bg black -fg green -title "$VNCDESKTOP Desktop" &mwm &EOT# END of nod01_ks.cfg
2.b for node02
Copy the node01_ks.cfg file above to node02_ks.cfg and change the appropriate entries for node02 (hostname and IP addresses).
For the installation, we’ll be invoking it in the CLI, using
virt-install
But first, generate the MAC addresses for the NICS of the virtual systems:
3.a MAC Address generation
We’ll use a python script provided by the Red Hat Virtualization Guide:
#!/usr/bin/python# macgen.py script to generate a MAC address for Red Hat Virtualization guestsimport random#def randomMAC(): mac = [ 0x00, 0x16, 0x3e, random.randint(0x00, 0x7f), random.randint(0x00, 0xff), random.randint(0x00, 0xff) ] return ':'.join(map(lambda x: "%02x" % x, mac))#print randomMAC()# careful with the indention# this is from the Virtualization guide from redhat.com# http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Virtualization/index.html
node01 NICs
# for eth0 . public1
[root@node00 ~]# ./macgen.py
00:16:3e:33:32:07
# for eth1 . private1
[root@ node00 ~]# ./macgen.py
00:16:3e:55:6b:83
Then do the same for node02’s virtual NICs.
3.b virt-install command for node01
virt-install -p -n node01 -r 768 -f /dev/Virtual00VG/lvNODE01 -m 00:16:3e:33:32:07 \
-w network:public1 -m 00:16:3e:55:6b:83 -w network:private1 \
-l nfs:192.168.222.1:/var/ftp/pub/centos5u1/i386 \
-x “ksdevice=eth0 ks=http://192.168.222.1/centos5u1/node01_ks.cfg” –vnc
Parameters:
-n node01 = name of the guest system
-r 768 = amount of RAM in MB
-f /dev/Virtual00VG/lvNODE01 = disk to be used by the guest system (can be an unused partition in your system, like /dev/sda3 or /dev/hda9).
-m 00:16:3e:33:32:07 = mac address for eth0
-w network:public1 = eth0’s network
-m 00:16:3e:55:6b:83 = mac address for eth1
-w network:private1 = eth0’s network
-l nfs:192.168.222.1:/var/ftp/pub/centos5u1/i386 = installation source (not the actual one used during ks install
-x “ksdevice=eth0 ks=http://192.168.222.1/centos5u1/node01_ks.cfg” = kickstart directives. This will use dhcp to startup installation.
–vnc = will launch a gui window for you to view (if you are running virt-install from a vnc session or a gui terminal).
3.c virt-install command for node02
virt-install -p -n node02 -r 768 -f /dev/Virtual00VG/lvNODE02 -m 00:16:3e:1e:05:b6 \
-w network:public1 -m 00:16:3e:40:3d:b0 -w network:private1 \
-l nfs:192.168.222.1:/var/ftp/pub/centos5u1/i386 \
-x “ksdevice=eth0 ks=http://192.168.222.1/centos5u1/node02_ks.cfg” –vnc
I ran the above virt-install inside a vnc session in the physical host so the the guest installation screens automatically appear. You can start it in the physical host’s console and the installation of the guest systems will run in the background. Their installation can be viewed by running virt-manager and then opening the guests.
