All Free For You » Debian

Virtualization With Xen On Debian Lenny (AMD64)

admin — Sat, 22 May 2010 03:17:22 +0000

Xen lets you create guest operating systems (*nix operating systems like Linux and FreeBSD), so called \”virtual machines\” or domUs, under a host operating system (dom0).

Virtualization With XenOn Debian Lenny (AMD64)

Version 1.0
Author: Falko Timme
Last edited 02/03/2009

This tutorial provides step-by-step instructions on how to install Xenon a Debian Lenny (5.0) system (AMD64).

Xen lets you create guest operating systems (*nix operating systems like Linux and FreeBSD), so called “virtual machines” or domUs, under a host operating system (dom0). Using Xen you can separate your applications into different virtual machines that are totally independent from each other (e.g. a virtual machine for a mail server, a virtual machine for a high-traffic web site, another virtual machine that serves your customers’ web sites, a virtual machine for DNS, etc.), but still use the same hardware. This saves money, and what is even more important, it’s more secure. If the virtual machine of your DNS server gets hacked, it has no effect on your other virtual machines. Plus, you can move virtual machines from one Xen server to the next one.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I’m using a Debian Lenny system (x86_64) with the hostname server1.example.com and the IP address 192.168.0.100 as the host system (dom0). (The setup might differ slightly if you are on an i386 system.) I will use Debian Lenny for the virtual machines (domU) as well.

This guide will explain how to set up image-based virtual machines and also LVM-based virtual machines.

2 Installing Xen

To install Xen, we simply run

apt-get install xen-hypervisor-3.2-1-amd64 xen-linux-system-2.6.26-1-xen-amd64 xen-utils-3.2-1 xenstore-utils xenwatch xen-shell xen-tools

Afterwards we open /etc/modules and make sure that we have the line loop max_loop=64 in it (this step is needed only if you want to create image-based virtual machines – you can skip it if you want to create LVM-based virtual machines):

vi /etc/modules

[...]
loop max_loop=64

Next we open /etc/xen/xend-config.sxp…

vi /etc/xen/xend-config.sxp

… and uncomment the line (network-script network-bridge) and comment out the line (network-script network-dummy). Also make sure that the line (vif-script vif-bridge) is enabled:

[...]
(network-script network-bridge)
[...]
#(network-script network-dummy)
[...]
(vif-script vif-bridge)
[...]

Then reboot the system:

reboot

Run

uname -r

and your new Xen kernel should show up:

server1:~# uname -r
2.6.26-1-xen-amd64
server1:~#

3 Creating Image-Based Virtual Machines

We will use xen-tools to create virtual machines. xen-tools make it very easy to create virtual machines – please read this tutorial to learn more: http://www.tusforyou.com/xen_tools_xen_shell_argo. We’ve already installed xen-tools in the previous step (chapter 2).

Now we edit /etc/xen-tools/xen-tools.conf. This file contains the default values that are used by the xen-create-image script unless you specify other values on the command line. I changed the following values and left the rest untouched:

vi /etc/xen-tools/xen-tools.conf

[...]
dir = /home/xen
[...]
dist = lenny # Default distribution to install.
[...]
gateway = 192.168.0.1
netmask = 255.255.255.0
broadcast = 192.168.0.255
[...]
passwd = 1
[...]
kernel= /boot/vmlinuz-`uname -r`
initrd= /boot/initrd.img-`uname -r`
[...]
mirror = http://ftp.de.debian.org/debian/
[...]
serial_device = hvc0
[...]
disk_device = xvda
[...]

The dir line specifies where the virtual machine images will be stored. dist specifies the distribution to be installed in the virtual machines (Debian Lenny) (there’s a comment in the file that explains what distributions are currently supported).

The passwd = 1 line makes that you can specify a root password when you create a new guest domain. In the mirror line specify a Debian mirror close to you.

Make sure you specify a gateway, netmask, and broadcast address. If you don’t, and you don’t specify a gateway and netmask on the command line when using xen-create-image, your guest domains won’t have networking even if you specified an IP address!

It is very important that you add the line serial_device = hvc0 because otherwise your virtual machines might not boot properly!

Before we go on, we must create the directory where the virtual machine images should be stored:

mkdir /home/xen

Now let’s create our first guest domain, xen1.example.com, with the IP address 192.168.0.101:

xen-create-image –hostname=xen1.example.com –size=4Gb –swap=256Mb –ip=192.168.0.101 –memory=128Mb –arch=amd64 –role=udev

Options that you specify on the command line override the settings in /etc/xen-tools/xen-tools.conf. Options that are not specified on the command line are taken from /etc/xen-tools/xen-tools.conf. Please make sure that you add –role=udev, or your virtual machine might not boot properly!

(To learn more about the available options, take a look at the xen-create-image man page:

man xen-create-image

)

The xen-create-image command will now create the xen1.example.com virtual machine for us. This can take a few minutes. The output should be similar to this one:

server1:~# xen-create-image –hostname=xen1.example.com –size=4Gb –swap=256Mb –ip=192.168.0.101 –memory=128Mb –arch=amd64 –role=udev

General Information
——————–
Hostname       :  xen1.example.com
Distribution   :  lenny
Partitions     :  swap            256Mb (swap)
                  /               4Gb   (ext3)
Image type     :  sparse
Memory size    :  128Mb
Kernel path    :  /boot/vmlinuz-2.6.26-1-xen-amd64
Initrd path    :  /boot/initrd.img-2.6.26-1-xen-amd64

Networking Information
———————-
IP Address 1   : 192.168.0.101 [MAC: 00:16:3E:D0:91:EE]
Netmask        : 255.255.255.0
Broadcast      : 192.168.0.255
Gateway        : 192.168.0.1

Creating partition image: /home/xen/domains/xen1.example.com/swap.img
Done

Creating swap on /home/xen/domains/xen1.example.com/swap.img
Done

Creating partition image: /home/xen/domains/xen1.example.com/disk.img
Done

Creating ext3 filesystem on /home/xen/domains/xen1.example.com/disk.img
Done
Installation method: debootstrap
Done

Running hooks
Done

Role: udev
File: /etc/xen-tools/role.d/udev
Role script completed.

Creating Xen configuration file
Done
Setting up root password
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
All done

Logfile produced at:
/var/log/xen-tools/xen1.example.com.log
server1:~#

There should now be a xen1.example.com configuration file – /etc/xen/xen1.example.com.cfg. Take a look at it to become familiar with virtual machines configuration files:

vi /etc/xen/xen1.example.com.cfg

#
# Configuration file for the Xen instance xen1.example.com, created
# by xen-tools 3.9 on Tue Feb3 17:56:25 2009.
#
#
#Kernel + memory size
#
kernel= '/boot/vmlinuz-2.6.26-1-xen-amd64'
ramdisk = '/boot/initrd.img-2.6.26-1-xen-amd64'
memory= '128'
#
#Disk device(s).
#
root= '/dev/xvda2 ro'
disk= [ 'file:/home/xen/domains/xen1.example.com/swap.img,xvda1,w', 'file:/home/xen/domains/xen1.example.com/disk.img,xvda2,w', ]
#
#Hostname
#
name= 'xen1.example.com'
#
#Networking
#
vif = [ 'ip=192.168.0.101,mac=00:16:3E:D0:91:EE' ]
#
#Behaviour
#
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash= 'restart'

(Please note: if you have a dual-core or quad-core CPU and want the virtual machine to use all CPU cores, please add the line vcpus = ’2′ or vcpus = ’4′ to the configuration file.)

To start the virtual machine, run

xm create /etc/xen/xen1.example.com.cfg

Run

xm console xen1.example.com

to log in on that virtual machine (type CTRL+] if you are at the console, or CTRL+5 if you’re using PuTTY to go back to dom0), or use an SSH client to connect to it (192.168.0.101).

To get a list of running virtual machines, type

xm list

The output should look like this:

server1:~# xm list
Name                                        ID   Mem VCPUs      State   Time(s)
Domain-0                                     0  3488     2     r—–    398.2
xen1.example.com                             6   128     1     -b—-      2.8
server1:~#

To shut down xen1.example.com, do this:

xm shutdown xen1.example.com

If you want xen1.example.com to start automatically at the next boot of the system, then do this:

ln -s /etc/xen/xen1.example.com.cfg /etc/xen/auto

Here are the most important Xen commands:

xm create -c /path/to/config – Start a virtual machine.
xm shutdown – Stop a virtual machine.
xm destroy – Stop a virtual machine immediately without shutting it down. It’s as if you switch off the power button.
xm list – List all running systems.
xm console – Log in on a virtual machine.
xm help – List of all commands.

A list of all virtual machines that were created with the xen-create-image command is available under

xen-list-images

server1:~# xen-list-images
Name: xen1.example.com
Memory: 128
IP: 192.168.0.101
server1:~#

To learn more about what you can do with xen-tools, take a look at this tutorial: http://www.tusforyou.com/xen_tools_xen_shell_argo

Virtualization With Xen On Debian Lenny (AMD64) – Page 2

admin — Sat, 22 May 2010 03:15:56 +0000

how you can set up LVM-based virtual machines instead of virtual machines that use disk images. Virtual machines that use disk images are very slow and heavy on disk IO.

4 Creating LVM-Based Virtual Machines

This chapter explains how you can set up LVM-based virtual machinesinstead of virtual machines that use disk images. Virtual machines that use disk images are very slow and heavy on disk IO.

In this example I’m using a Debian Lenny host with the LVM volume group /dev/vg0 that has about 500GB of space. /dev/vg0 contains two logical volumes, /dev/vg0/root and /dev/vg0/swap_1 that consume about 11GB of space – the rest is not allocated and can be used to create logical volumes for our virtual machines:

vgdisplay

server1:~# vgdisplay
  — Volume group —
  VG Name               vg0
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  4
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                3
  Open LV               2
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               465.28 GB
  PE Size               4.00 MB
  Total PE              119112
  Alloc PE / Size       5420 / 21.17 GB
  Free  PE / Size       113692 / 444.11 GB
  VG UUID               zXVC4l-FQZa-6dvS-rXQG-YbO9-g0Ce-2iTiIw

server1:~#

lvdisplay

server1:~# lvdisplay
  — Logical volume —
  LV Name                /dev/vg0/root
  VG Name                vg0
  LV UUID                x74hzO-wh3O-VwiJ-QHpq-xwfT-kOyd-iJ49jB
  LV Write Access        read/write
  LV Status              available
  # open                 1
  LV Size                9.31 GB
  Current LE             2384
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:0

  — Logical volume —
  LV Name                /dev/vg0/swap_1
  VG Name                vg0
  LV UUID                RMDldO-nAVy-dvqP-rZh2-NkFd-48aw-YbPK9i
  LV Write Access        read/write
  LV Status              available
  # open                 1
  LV Size                1.86 GB
  Current LE             476
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:1

server1:~#

Next we edit /etc/xen-tools/xen-tools.conf. This file contains the default values that are used by the xen-create-image script unless you specify other values on the command line. I changed the following values and left the rest untouched:

vi /etc/xen-tools/xen-tools.conf

[...]
lvm = vg0
[...]
dist = lenny # Default distribution to install.
[...]
gateway = 192.168.0.1
netmask = 255.255.255.0
broadcast = 192.168.0.255
[...]
passwd = 1
[...]
kernel= /boot/vmlinuz-`uname -r`
initrd= /boot/initrd.img-`uname -r`
[...]
mirror = http://ftp.de.debian.org/debian/
[...]
serial_device = hvc0
[...]
disk_device = xvda
[...]

Make sure that you uncomment the lvm line and fill in the name of your volume group (vg0 in my case). At the same time make sure that the dir line is commented out!

dist specifies the distribution to be installed in the virtual machines (Debian Lenny) (there’s a comment in the file that explains what distributions are currently supported).

The passwd = 1 line makes that you can specify a root password when you create a new guest domain.

In the mirror line specify a Debian mirror close to you.

It is very important that you add the line serial_device = hvc0 because otherwise your virtual machines might not boot properly!

Now let’s create our first guest domain, xen1.example.com, with the IP address 192.168.0.101:

xen-create-image –hostname=xen1.example.com –size=4Gb –swap=256Mb –ip=192.168.0.101 –memory=128Mb –arch=amd64 –role=udev

(To learn more about the available options, take a look at the xen-create-image man page:

man xen-create-image

)

The xen-create-image command will now create the xen1.example.com virtual machine for us. This can take a few minutes. The output should be similar to this one:

server1:~# xen-create-image –hostname=xen1.example.com –size=4Gb –swap=256Mb –ip=192.168.0.101 –memory=128Mb –arch=amd64 –role=udev

General Information
——————–
Hostname       :  xen1.example.com
Distribution   :  lenny
Partitions     :  swap            256Mb (swap)
                  /               4Gb   (ext3)
Image type     :  full
Memory size    :  128Mb
Kernel path    :  /boot/vmlinuz-2.6.26-1-xen-amd64
Initrd path    :  /boot/initrd.img-2.6.26-1-xen-amd64

Networking Information
———————-
IP Address 1   : 192.168.0.101 [MAC: 00:16:3E:0F:A1:93]
Netmask        : 255.255.255.0
Broadcast      : 192.168.0.255
Gateway        : 192.168.0.1

Creating swap on /dev/vg0/xen1.example.com-swap
Done

Creating ext3 filesystem on /dev/vg0/xen1.example.com-disk
Done
Installation method: debootstrap
Done

Running hooks
Done

Role: udev
File: /etc/xen-tools/role.d/udev
Role script completed.

Creating Xen configuration file
Done
Setting up root password
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
All done

Logfile produced at:
/var/log/xen-tools/xen1.example.com.log
server1:~#

As you see from the output, xen-create-image has created a new logical volume for our VM in the vg0 volume group, /dev/vg0/xen1.example.com-disk, for the VM’s root filesystem. Take a look at

lvdisplay

and you will see that it has also created a second logical volume, /dev/vg0/xen1.example.com-swap, for the VM’s swap:

  — Logical volume —
  LV Name                /dev/vg0/xen1.example.com-swap
  VG Name                vg0
  LV UUID                KNWeFo-2HiK-YcZl-8L63-8dVI-vehD-r7nx0x
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                256.00 MB
  Current LE             64
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:2

  — Logical volume —
  LV Name                /dev/vg0/xen1.example.com-disk
  VG Name                vg0
  LV UUID                ifTchw-YKqk-ELet-MlF1-hw59-ZCIE-TcDnQm
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                4.00 GB
  Current LE             1024
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:3

server1:~#

There should now be a xen1.example.com configuration file – /etc/xen/xen1.example.com.cfg. The disk line contains physical devices (the two logical volumes created by xen-create-image) instead of disk images:

vi /etc/xen/xen1.example.com.cfg

#
# Configuration file for the Xen instance xen1.example.com, created
# by xen-tools 3.9 on Tue Feb3 17:43:52 2009.
#
#
#Kernel + memory size
#
kernel= '/boot/vmlinuz-2.6.26-1-xen-amd64'
ramdisk = '/boot/initrd.img-2.6.26-1-xen-amd64'
memory= '128'
#
#Disk device(s).
#
root= '/dev/xvda2 ro'
disk= [ 'phy:/dev/vg0/xen1.example.com-swap,xvda1,w', 'phy:/dev/vg0/xen1.example.com-disk,xvda2,w', ]#
#Hostname
#
name= 'xen1.example.com'
#
#Networking
#
vif = [ 'ip=192.168.0.101,mac=00:16:3E:0F:A1:93' ]
#
#Behaviour
#
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash= 'restart'

(If we had used disk images instead of logical volumes, the disk line would look similar to this one:

disk = [ 'file:/path/to/xen1.example.com/disk.img,sda1,w', 'file:/path/to/xen1.example.com/swap.img,sda2,w' ]

)

(Please note: if you have a dual-core or quad-core CPU and want the virtual machine to use all CPU cores, please add the line vcpus = ’2′ or vcpus = ’4′ to the configuration file.)

To start the virtual machine, run

xm create /etc/xen/xen1.example.com.cfg

Run

xm console xen1.example.com

to log in on that virtual machine (type CTRL+] if you are at the console, or CTRL+5 if you’re using PuTTY to go back to dom0), or use an SSH client to connect to it (192.168.0.101).

To get a list of running virtual machines, type

xm list

The output should look like this:

server1:~# xm list
Name                                      ID Mem(MiB) VCPUs State   Time(s)
Domain-0                                   0      747     1 r—–   1402.9
xen1.example.com                           1      256     1 -b—-     55.8
server1:~#

To shut down xen1.example.com, do this:

xm shutdown xen1.example.com

If you want xen1.example.com to start automatically at the next boot of the system, then do this:

ln -s /etc/xen/xen1.example.com.cfg /etc/xen/auto

Here are the most important Xen commands:

A list of all virtual machines that were created with the xen-create-image command is available under

xen-list-images

server1:~# xen-list-images
Name: xen1.example.com
Memory: 128
IP: 192.168.0.101
server1:~#

To learn more about what you can do with xen-tools, take a look at this tutorial: http://www.tusforyou.com/xen_tools_xen_shell_argo

5 Links

Xen: http://www.xensource.com/xen/
xen-tools: http://xen-tools.org/software/xen-tools
Debian: http://www.debian.org/

Virtualization With Xen On Debian Lenny (AMD64)

Chrooted SSH/SFTP Tutorial (Debian Lenny)

admin — Sat, 22 May 2010 02:58:55 +0000

Since version 4.8, OpenSSH supports chrooting (see http://openssh.org/txt/release-4.8), so no patches are needed anymore. This tutorial describes how to give users chrooted SSH access. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of. I will also show how to use chrooted SFTP.

Chrooted SSH/SFTP Tutorial (Debian Lenny)

Version 1.0
Author: Falko Timme
Last edited 03/03/2009

I do not issue any guarantee that this will work for you!

1 Preliminary Note

The OpenSSH version coming with Debian Lenny is 5.1p1, so it supports chrooting.

I will use the user falko here with the home directory /home/falko. The user falko belongs to the group users. I want to chroot the user to the /home directory.

2 Installing OpenSSH

If OpenSSH is not already installed, install it as follows:

apt-get install ssh openssh-server

3 Enabling Chrooted SFTP

Enabling SFTP is very easy. Open /etc/ssh/sshd_config…

vi /etc/ssh/sshd_config

… and make sure you have the following line in it:

[...]
Subsystem sftp /usr/lib/openssh/sftp-server
[...]

Then add the following stanza at the end of the file (add such a stanza for each user that you want to chroot):

[...]
Match User falko ChrootDirectory /home AllowTCPForwarding no X11Forwarding no ForceCommand /usr/lib/openssh/sftp-server

Instead of adding a stanza for each user, you can also chroot groups, e.g. as follows:

[...]
Match Group users ChrootDirectory /home AllowTCPForwarding no X11Forwarding no ForceCommand /usr/lib/openssh/sftp-server

This would chroot all members of the users group to the /home directory.

Restart OpenSSH:

/etc/init.d/ssh restart

If you chroot multiple users to the same directory, but don’t want the users to browse the home directories of the other users, you can change the permissions of each home directory as follows:

chmod 700 /home/falko

Afterwards, you can log in with an SFTP client, such as FileZilla or WinSCP.

4 Enabling Chrooted SSH

Enabling chrooted SSH is a bit more complicated because we must set up a chroot environment with all programs/tools (e.g. /bin/bash, /bin/cp, etc.) that the users should be able to use. This means we must also copy all libraries that these programs need to the chroot jail. You can do this manually with the cp command, and you can find out what libraries a tool needs by using the ldd command, e.g.

ldd /bin/bash

We also have to create some devices such as /dev/null, /dev/zero, /dev/tty, and /dev/urandom inside the chroot jail with the mknod command.

However, this can be a tedious task. Fortunately, there’s a script that can do this for us.

First, we need to install some prerequisites:

apt-get install sudo debianutils coreutils

Then we download make_chroot_jail.sh to /usr/local/sbin and make it executable for the root user:

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 /usr/local/sbin/make_chroot_jail.sh

Before we use the script, you might want to add some programs (e.g. such as /usr/bin/vi) to the APPS line of your distribution in that script so that these tools get added to the chroot jail automatically:

vi /usr/local/sbin/make_chroot_jail.sh

[...]
elif [ "$DISTRO" = DEBIAN ]; then APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd /usr/bin/vi"
else
[...]

Next we add a symlink /home/home that points back to /home:

cd /home
ln -s . home

Now we can already use the script. Usage is as follows:

make_chroot_jail.sh username [/path/to/chroot-shell [/path/to/chroot]]

chroot-shell is a special shell created by the script to chroot users. Since OpenSSH now supports chrooting by default, we don’t need the script to create a special shell; instead, we can use /bin/bash or /bin/sh.

It doesn’t matter if the user is already existing or not. If he’s existing, he will be updated; if not, he will be created.

make_chroot_jail.sh falko /bin/bash /home

This will create/update the user falko with the chroot jail /home.

To update all files/libraries in the chroot jail, run

make_chroot_jail.sh update /bin/bash /home

Now we need to configure OpenSSH which is similar to the SFTP configuration. Open /etc/ssh/sshd_config…

vi /etc/ssh/sshd_config

… and add the following stanza at the end of the file (add such a stanza for each user that you want to chroot):

[...]
Match User falko ChrootDirectory /home AllowTCPForwarding no X11Forwarding no

Instead of adding a stanza for each user, you can also chroot groups, e.g. as follows:

[...]
Match Group users ChrootDirectory /home AllowTCPForwarding no X11Forwarding no

This would chroot all members of the users group to the /home directory.

The difference to the SFTP configuration is that this time, we must not use the line ForceCommand /usr/lib/openssh/sftp-server in the Match stanzas! This makes that users can still use chrooted SFTP (provided you also have the line Subsystem sftp /usr/lib/openssh/sftp-server in /etc/ssh/sshd_config), but also chrooted SSH.

Restart OpenSSH:

/etc/init.d/ssh restart

If you chroot multiple users to the same directory, but don’t want the users to browse the home directories of the other users, you can change the permissions of each home directory as follows:

chmod 700 /home/falko

Afterwards, you can log in with with an SSH client such as PuTTY.

5 Links

OpenSSH: http://www.openssh.org
make_chroot_jail.sh: http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail
Debian: http://www.debian.org

Setting Up A High-Availability Load Balancer (With Failover and Session Support) With Perlbal/Heartbeat On Debian Etch Page 2

admin — Fri, 21 May 2010 18:49:17 +0000

This article explains how to set up a two-node load balancer in an active/passive configuration with Perlbal and heartbeat on Debian Etch. The load balancer sits between the user and two (or more) backend Apache web servers that hold the same content. Not only does the load balancer distribute the requests to the two backend Apache servers, it also checks the health of the backend servers. If one of them is down, all requests will automatically be redirected to the remaining backend server. In addition to that, the two load balancer nodes monitor each other using heartbeat, and if the master fails, the slave becomes the master, which means the users will not notice any disruption of the service. Perlbal is session-aware, which means you can use it with any web application that makes use of sessions (such as forums, shopping carts, etc.).

5 Setting Up Heartbeat

We’ve just configured Perlbal to listen on the virtual IP address 192.168.0.99, but someone has to tell lb1 and lb2 that they should listen on that IP address. This is done by heartbeat which we install like this:

lb1/lb2:

apt-get install heartbeat

To allow Perlbal to bind to the shared IP address, we add the following line to /etc/sysctl.conf:

vi /etc/sysctl.conf

[...]
net.ipv4.ip_nonlocal_bind=1

… and run:

sysctl -p

Now we have to create three configuration files for heartbeat, /etc/ha.d/authkeys, /etc/ha.d/ha.cf, and /etc/ha.d/haresources. /etc/ha.d/authkeys and /etc/ha.d/haresources must be identical on lb1 and lb2, and /etc/ha.d/ha.cf differs by just one line!

lb1/lb2:

vi /etc/ha.d/authkeys

auth 3
3 md5 somerandomstring

somerandomstring is a password which the two heartbeat daemons on lb1 and lb2 use to authenticate against each other. Use your own string here. You have the choice between three authentication mechanisms. I use md5 as it is the most secure one.

/etc/ha.d/authkeys should be readable by root only, therefore we do this:

lb1/lb2:

chmod 600 /etc/ha.d/authkeys

lb1:

vi /etc/ha.d/ha.cf

#
# keepalive: how many seconds between heartbeats
#
keepalive 2
#
# deadtime: seconds-to-declare-host-dead
#
deadtime 10
#
# What UDP port to use for udp or ppp-udp communication?
#
udpport694
bcasteth0
mcast eth0 225.0.0.1 694 1 0
ucast eth0 192.168.0.101
# What interfaces to heartbeat over?
udp eth0
#
# Facility to use for syslog()/logger (alternative to log/debugfile)
#
logfacility local0
#
# Tell what machines are in the cluster
# nodenodename ...-- must match uname -n
nodelb1.example.com
nodelb2.example.com

Important: As nodenames we must use the output of

uname -n

on lb1 and lb2.

The udpport, bcast, mcast, and ucast options specify how the two heartbeat nodes communicate with each other to find out if the other node is still alive. You can leave the udpport, bcast, and mcast lines as shown above, but in the ucast line it’s important that you specify the IP address of the other heartbeat node; in this case it’s 192.168.0.101 (lb2.example.com).

On lb2 the file looks pretty much the same, except that the ucast line holds the IP address of lb1:

lb2:

vi /etc/ha.d/ha.cf

#
# keepalive: how many seconds between heartbeats
#
keepalive 2
#
# deadtime: seconds-to-declare-host-dead
#
deadtime 10
#
# What UDP port to use for udp or ppp-udp communication?
#
udpport694
bcasteth0
mcast eth0 225.0.0.1 694 1 0
ucast eth0 192.168.0.100
# What interfaces to heartbeat over?
udp eth0
#
# Facility to use for syslog()/logger (alternative to log/debugfile)
#
logfacility local0
#
# Tell what machines are in the cluster
# nodenodename ...-- must match uname -n
nodelb1.example.com
nodelb2.example.com

lb1/lb2:

vi /etc/ha.d/haresources

lb1.example.com 192.168.0.99

The first word is the output of

uname -n

on lb1, no matter if you create the file on lb1 or lb2! It is followed by our virtual IP address (192.168.0.99 in our example).

Finally we start heartbeat on both load balancers:

lb1/lb2:

/etc/init.d/heartbeat start

Then run:

lb1:

ip addr sh eth0

… and you should find that lb1 is now listening on the shared IP address, too:

lb1:~# ip addr sh eth0
2: eth0:  mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:a5:5b:93 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.100/24 brd 192.168.0.255 scope global eth0
    inet 192.168.0.99/24 brd 192.168.0.255 scope global secondary eth0:0
    inet6 fe80::20c:29ff:fea5:5b93/64 scope link
       valid_lft forever preferred_lft forever
lb1:~#

You can check this again by running:

ifconfig

lb1:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:A5:5B:93
          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fea5:5b93/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:63983 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31480 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:92604963 (88.3 MiB)  TX bytes:2689903 (2.5 MiB)
          Interrupt:177 Base address:0×1400

eth0:0    Link encap:Ethernet  HWaddr 00:0C:29:A5:5B:93
          inet addr:192.168.0.99  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:177 Base address:0×1400

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:56 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3888 (3.7 KiB)  TX bytes:3888 (3.7 KiB)

lb1:~#

As lb2 is the passive load balancer, it should not be listening on the virtual IP address as long as lb1 is up. We can check that with:

lb2:

ip addr sh eth0

The output should look like this:

lb2:~# ip addr sh eth0
2: eth0:  mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:e0:78:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.101/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::20c:29ff:fee0:7892/64 scope link
       valid_lft forever preferred_lft forever
lb2:~#

The output of

ifconfig

shouldn’t display the virtual IP address either:

lb2:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:E0:78:92
          inet addr:192.168.0.101  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fee0:7892/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:75127 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42144 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:109669197 (104.5 MiB)  TX bytes:3393369 (3.2 MiB)
          Interrupt:169 Base address:0×1400

lb2:~#

6 Starting Perlbal

Now we can start Perlbal:

lb1/lb2:

perlbal –daemon

Of course, you don’t want to start Perlbal manually each time you boot the load balancers. Therefore we open /etc/rc.local…

vi /etc/rc.local

… and add the line /usr/local/bin/perlbal –daemon to it (right before the exit 0 line):

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing./usr/local/bin/perlbal --daemon
exit 0

This will make Perlbal start automatically whenever you boot the load balancers.

(To stop Perlbal, run

killall perlbal

)

7 Testing

Our high-availability load balancer is now up and running.

You can now make HTTP requests to the virtual IP address 192.168.0.99 (or to any domain/hostname that is pointing to the virtual IP address), and you should get content from the backend web servers.

You can test its high-availability/failover capabilities by switching off one backend web server – the load balancer should then redirect all requests to the remaining backend web server. Afterwards, switch off the active load balancer (lb1) – lb2 should take over immediately. You can check that by running:

lb2:

ip addr sh eth0

You should now see the virtual IP address in the output on lb2:

lb2:~# ip addr sh eth0
2: eth0:  mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:e0:78:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.101/24 brd 192.168.0.255 scope global eth0
    inet 192.168.0.99/24 brd 192.168.0.255 scope global secondary eth0:0
    inet6 fe80::20c:29ff:fee0:7892/64 scope link
       valid_lft forever preferred_lft forever
lb2:~#

The same goes for the output of

ifconfig

When lb1 comes up again, it will take over the master role again.

8 Virtual Host Support In Perlbal

Perlbal suppports virtual hosts. Let’s assume we want requests for *.site.com to be served by the hosts with the IP addresses 192.168.0.102 and 192.168.0.103, and requests for *.example.com by the hosts 192.168.0.104 and 192.168.0.105. This is how /etc/perlbal/perlbal.conf would look:

vi /etc/perlbal/perlbal.conf

LOAD vhostsCREATE POOL webfarm1 POOL webfarm1 ADD 192.168.0.102:80 POOL webfarm1 ADD 192.168.0.103:80CREATE SERVICE balancer1 SET role= reverse_proxy SET pool= webfarm1 SET persist_client= on SET persist_backend = on SET verify_backend= on
ENABLE balancer1CREATE POOL webfarm2 POOL webfarm2 ADD 192.168.0.104:80 POOL webfarm2 ADD 192.168.0.105:80CREATE SERVICE balancer2 SET role= reverse_proxy SET pool= webfarm2 SET persist_client= on SET persist_backend = on SET verify_backend= on
ENABLE balancer2CREATE SERVICE vdemo SET listen = 192.168.0.99:80 SET role = selector SET plugins= vhosts SET persist_client = onVHOST *.site.com = balancer1 VHOST *.example.com= balancer2
ENABLE vdemo

9 Links

Perlbal: http://www.danga.com/perlbal/
Heartbeat: http://www.linux-ha.org/Heartbeat
Debian: http://www.debian.org

Setting Up A High-Availability Load Balancer (With Failover and Session Support) With Perlbal/Heartbeat On Debian Etch

admin — Fri, 21 May 2010 18:47:51 +0000

Setting Up A High-Availability Load Balancer (With Failover and Session Support) With Perlbal/Heartbeat On Debian Etch

Version 1.0
Author: Falko Timme
Last edited 12/29/2008

I do not issue any guarantee that this will work for you!

1 Preliminary Note

In this tutorial I will use the following hosts:

Load Balancer 1: lb1.example.com, IP address: 192.168.0.100
Load Balancer 2: lb2.example.com, IP address: 192.168.0.101
Web Server 1: http1.example.com, IP address: 192.168.0.102
Web Server 2: http2.example.com, IP address: 192.168.0.103
We also need a virtual IP address that floats between lb1 and lb2: 192.168.0.99

Here’s a little diagram that shows our setup:

    shared IP=192.168.0.99
192.168.0.100  192.168.0.101 192.168.0.102 192.168.0.103
——-+————+————–+———–+———-
        |            |              |           |
     +–+–+      +–+–+      +—-+—-+ +—-+—-+
     | lb1 |      | lb2 |      |  http1  | |  http2  |
     +—–+      +—–+      +———+ +———+
     Perlbal      Perlbal      2 web servers (Apache)
     heartbeat    heartbeat

The shared (virtual) IP address is no problem as long as you’re in your own LAN where you can assign IP addresses as you like. However, if you want to use this setup with public IP addresses, you need to find a hoster where you can rent two servers (the load balancer nodes) in the same subnet; you can then use a free IP address in this subnet for the virtual IP address.

http1 and http2 are standard Debian Etch Apache setups with the document root /var/www (the configuration of this default vhost is stored in /etc/apache2/sites-available/default). If your document root differs, you might have to adjust this guide a bit.

2 Preparing The Backend Web Servers

We will configure Perlbal as a transparent proxy, i.e., it will pass on the original user’s IP address in a field called X-Forwarded-For to the backend web servers. Of course, the backend web servers should log the original user’s IP address in their access logs instead of the IP addresses of our load balancers. Therefore we must modify the LogFormat line in /etc/apache2/apache2.conf and replace %h with %{X-Forwarded-For}i:

http1/http2:

vi /etc/apache2/apache2.conf

[...]
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
[...]

Afterwards we restart Apache:

/etc/init.d/apache2 restart

We are finished already with the backend servers; the rest of the configuration happens on the two load balancer nodes.

3 Installing Perlbal

Perlbal is not available as a package for Debian Etch, but we can install it through the Perl shell. Before we do this, we install a few prerequisites:

lb1/lb2:

apt-get install build-essential unzip lynx ncftp perl

Afterwards we invoke the Perl shell as follows:

perl -MCPAN -e shell

On the Perl shell, we run the following three commands to install Perlbal:

force install HTTP::Date

install IO::AIO

force install Perlbal

Type

to leave the Perl shell.

4 Configuring The Load Balancers

Perlbal expects its configuration in the file /etc/perlbal/perlbal.conf which we create as follows:

lb1/lb2:

mkdir /etc/perlbal
vi /etc/perlbal/perlbal.conf

CREATE POOL webfarm POOL webfarm ADD 192.168.0.102:80 POOL webfarm ADD 192.168.0.103:80CREATE SERVICE balancer SET listen= 192.168.0.99:80 SET role= reverse_proxy SET pool= webfarm SET persist_client= on SET persist_backend = on SET verify_backend= on
ENABLE balancer

You won’t find much documentation about the Perlbal configuration on the Internet, so the best way to learn about the Perlbal configuration options is to download the latest Perlbal release from http://code.google.com/p/perlbal/downloads/list (e.g. http://perlbal.googlecode.com/files/Perlbal-1.70.tar.gz). Uncompress it and then take a look at the files in the conf/ and doc/ subdirectories. You will find some configuration examples and a list of configuration options there.

Setting Up A High-Availability Load Balancer (With Failover and Session Support) With Perlbal/Heartbeat On Debian Etch – Page 2

How To Install Django On Debian Etch (Apache2/mod_python)

admin — Thu, 13 May 2010 17:58:36 +0000

This tutorial explains how to install Django
on a Debian Etch server. Django is a web framework that allows to
develop Python web applications quickly with as much automation as
possible. I will use it with Apache2 and mod_python in this guide.

How To Install Django On Debian Etch (Apache2/mod_python)

Version 1.0
Author: Falko Timme
Last edited 07/16/2008

This tutorial explains how to install Django on a Debian Etch server. Django is a web framework that allows to develop Python web applications quickly with as much automation as possible. I will use it with Apache2 and mod_python in this guide.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Install MySQL

Django can use multiple database backends, e.g. PostgreSQL, MySQL, SQLite, etc. If you want to use MySQL, you can install it as follows:

apt-get install mysql-server mysql-client

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 3085/mysqld
server1:~#

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

2 Install Apache And mod_python

If Apache2 and mod_python aren’t already installed on your system, you can install them as follows:

apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-python

3 Install Django

In order to install Django and the Python MySQL bindings, we run:

apt-get install python-django python-mysqldb

4 Configure Apache

I will use /var/www here as the document root of my virtual host and /etc/apache2/sites-available/default as the file containing the configuration of my virtual host. Adjust this to your circumstances.

Before we configure Apache, we must create a Django project (e.g. called mysite) (see http://www.djangoproject.com/documentation/tutorial01/). For security reasons I create that project outside my document root /var/www (e.g. in /home/mycode):

mkdir /home/mycode
cd /home/mycode
/usr/share/python-support/python-django/django/bin/django-admin.py startproject mysite

This will create the directory /home/mycode/mysite with some Python files in it.

Now with the project mysite created, we can configure Apache. I open my vhost configuration in /etc/apache2/sites-available/default and place the following lines between the … container:

vi /etc/apache2/sites-available/default

[...]
 SetHandler python-program PythonHandler django.core.handlers.modpython SetEnv DJANGO_SETTINGS_MODULE mysite.settings PythonDebug On PythonPath "['/home/mycode'] + sys.path"

[...]

The path in the first line () refers to the URL – meaning this configuration will be used if you use /mysite in the URL (e.g. http://www.example.com/mysite). You can change this to your likings. Please adjust the other values (SetEnv DJANGO_SETTINGS_MODULE mysite.settings and PythonPath “['/home/mycode'] + sys.path”) to the name of your project and the path where it is located.

Restart Apache afterwards:

/etc/init.d/apache2 restart

Now you can access http://www.example.com/mysite in a browser. If everything went well, you should see something like this:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

This means Django has been successfully installed, and you can now use it to develop your Python web applications (please refer to http://www.djangoproject.com/documentation/ to learn how to develop web applications with Django).

5 Connect To A MySQL Database From A Django Project

If you want to use a MySQL database in your Django project, you should first create that database (e.g. mysite) and a database user (e.g. mysiteadmin) for that database:

mysql -u root -p

CREATE DATABASE mysite;
GRANT ALL ON mysite.* TO ‘mysiteadmin’@'localhost’ IDENTIFIED BY ‘mysiteadmin_password’;
GRANT ALL ON mysite.* TO ‘mysiteadmin’@'localhost.localdomain’ IDENTIFIED BY ‘mysiteadmin_password’;
FLUSH PRIVILEGES;
quit;

Then open the settings.py file in the project folder (e.g. /home/mycode/mysite) and modify the database settings, e.g. as follows:

vi /home/mycode/mysite/settings.py

[...]
DATABASE_ENGINE = 'mysql' # 'postgresql_psycopg2', 'postgresql', 'mysql', 'sqlite3' or 'ado_mssql'.
DATABASE_NAME = 'mysite' # Or path to database file if using sqlite3.
DATABASE_USER = 'mysiteadmin' # Not used with sqlite3.
DATABASE_PASSWORD = 'mysiteadmin_password' # Not used with sqlite3.
DATABASE_HOST = '' # Set to empty string for localhost. Not used with sqlite3.
DATABASE_PORT = '' # Set to empty string for default. Not used with sqlite3.
[...]

6 Links

How To Patch BIND9 Against DNS Cache Poisoning On Debian Etch

admin — Thu, 13 May 2010 17:58:31 +0000

This article explains how you can fix a BIND9 nameserver on a Debian Etch system so that it is not vulnerable anymore to DNS cache poisoning.

How To Patch BIND9 Against DNS Cache Poisoning On Debian Etch

Version 1.0
Author: Falko Timme
Last edited 07/28/2008

This article explains how you can fix a BIND9 nameserver on a Debian Etch system so that it is not vulnerable anymore to DNS cache poisoning.

This document comes without warranty of any kind!I do not issue any guarantee that this will work for you!

1 Checking If BIND Is Vulnerable

Run the following command against your nameserver to find out if it is vulnerable (replace ns1.example.com with your own nameserver address):

dig +short @ns1.example.com porttest.dns-oarc.net TXT

mh1:~# dig +short @ns1.example.com porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
“1.2.3.4 is POOR: 26 queries in 4.4 seconds from 1 ports with std dev 0.00″
mh1:~#

POOR indicates that BIND is vulnerable. In this case you must patch BIND.

If you don’t get any answer at all, this means that your DNS server is no recursive resolver which means it doesn’t answer queries for domains that it isn’t authoritative for. In this case you’re not vulnerable to cache poisoning, but still I strongly advise to update BIND!

2 Patching BIND

This is not so much a patch, but an update. Simply run

apt-get install bind9 bind9-host

This will install the updated BIND packages from the Debian repositories.

Afterwards open /etc/bind/named.conf and modify the options section. If you don’t need a recursive resolver (i.e., if your nameserver should answer only queries for domains that it is responsible for), add allow-recursion { none; };. That way you turn off caching for other domains. The second line you should add is dnssec-enable yes; – this makes that BIND answers queries on random ports which are harder to guess for hackers (remember the answer to our dig command in chapter 1: [...]26 queries in 4.4 seconds from 1 ports[...] – BIND was answering on only one port…).

Correction: I’ve just received the following email from Alan Clegg:

Good day!

I just read your writeup at:

http://www.tusforyou.com/how-to-patch-bind-to-avoid-cache-poisoning-debian-etch

and have a couple of comments.

First off, thanks for writing this. We need as many people to fix this
problem as possible.

Secondly, there is a minor error that should be corrected. You state:

“The second line you should add is dnssec-enable yes; – this makes that
BIND answers queries on random ports which are harder to guess for hackers”

Actually, this line enables the server to respond with DNSSEC records
when the “DO” (DNSSEC OK) bit is set in the question being asked.

What you want people to look for is a statement like:

query-source [...] port XX;

Where the XX is a fixed port number on which the queries from this
system are to be sent. This undoes everything that the new versions of
BIND do to randomize the UDP source port.

If you have any questions, please feel free to send e-mail.

Alan Clegg
Internet Systems Consortium (ISC)
Training and Support

vi /etc/bind/named.conf

[...]
options { pid-file "/var/run/bind/run/named.pid"; directory "/etc/bind"; auth-nxdomain no; allow-recursion { none; }; dnssec-enable yes; /** If there is a firewall between you and nameservers you want* to talk to, you might need to uncomment the query-source* directive below.Previous versions of BIND always asked* questions using port 53, but BIND 8.1 uses an unprivileged* port by default.*/ // query-source address * port 53;
};
[...]

Restart BIND afterwards:

/etc/init.d/bind9 restart

(If you’re using ISPConfig, your changes will be overwritten by ISPConfig. To prevent this, we take the named.conf template file /root/ispconfig/isp/conf/named.conf.master, modify it as shown above, and save the modified template in the /root/ispconfig/isp/conf/customized_templates directory => /root/ispconfig/isp/conf/customized_templates/named.conf.master. Please also modify /etc/bind/named.conf as shown above in addition to that.)

3 Checking BIND Again

Now we run the query from chapter 1 again:

dig +short @ns1.example.com porttest.dns-oarc.net TXT

If all went well, it should now show GOOD instead of POOR, and it should use more than just one port:

mh1:~# dig +short @ns1.example.com porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
“1.2.3.4 is GOOD: 26 queries in 4.4 seconds from 26 ports with std dev 20195.32″
mh1:~#

Congratulations, you have just fixed BIND!

You can also run the dig command against your ISP’s nameservers to find out if their nameservers are still vulnerable. If they are, you should urge your ISP to update their nameservers!

Creating Simple Virtual Hosts With mod_mysql_vhost On Lighttpd (Debian Etch)

admin — Thu, 13 May 2010 17:58:29 +0000

This guide explains how you can use mod_mysql_vhost to create simple
virtual hosts on a lighttpd web server on Debian Etch. With
mod_mysql_vhost, lighttpd can read the vhost configuration from a MySQL
database. Currently, you can store the domain and the document root in
the MySQL database which results in very simple virtual hosts. If you
need more directives for your vhosts, you’d have to configure them in
the global section of lighttpd.conf, which means they’d be valid for
all vhosts. Therefore, mod_mysql_vhost is ideal if your vhosts differ
only in the domain and document root.

Creating Simple Virtual Hosts With mod_mysql_vhost On Lighttpd (Debian Etch)

Version 1.0
Author: Falko Timme
Last edited 07/31/2008

This guide explains how you can use mod_mysql_vhost to create simple virtual hosts on a lighttpd web server on Debian Etch. With mod_mysql_vhost, lighttpd can read the vhost configuration from a MySQL database. Currently, you can store the domain and the document root in the MySQL database which results in very simple virtual hosts. If you need more directives for your vhosts, you’d have to configure them in the global section of lighttpd.conf, which means they’d be valid for all vhosts. Therefore, mod_mysql_vhost is ideal if your vhosts differ only in the domain and document root.

I do not issue any guarantee that this will work for you!

1 Installing MySQL 5.0

First we install MySQL 5.0 like this:

apt-get install mysql-server mysql-client

Create a password for the MySQL user root (replace yourrootsqlpassword with the password you want to use):

mysqladmin -u root password yourrootsqlpassword

Then check with

netstat -tap | grep mysql

on which addresses MySQL is listening. If the output looks like this:

tcp 0 0 localhost.localdo:mysql *:* LISTEN 2713/mysqld

which means MySQL is listening on localhost.localdomain only, then you’re safe with the password you set before. But if the output looks like this:

tcp 0 0 *:mysql *:* LISTEN 2713/mysqld

you should set a MySQL password for your hostname (my hostname is server1.example.com here), too, because otherwise anybody can access your database and modify data:

mysqladmin -h server1.example.com -u root password yourrootsqlpassword

2 Installing Lighttpd And mod_mysql_vhost

You can install lighttpd (if it’s not already installed) and mod_mysql_vhost as follows:

apt-get install lighttpd lighttpd-mod-mysql-vhost

To enable mod_mysql_vhost, we open /etc/lighttpd/lighttpd.conf and add/enable “mod_mysql_vhost”, in the server.modules stanza:

vi /etc/lighttpd/lighttpd.conf

[...]
server.modules= ( "mod_access", "mod_alias", "mod_accesslog", "mod_mysql_vhost",
# "mod_rewrite",
# "mod_redirect",
# "mod_status",
# "mod_evhost",
# "mod_compress",
# "mod_usertrack",
# "mod_rrdtool",
# "mod_webdav",
# "mod_expire",
# "mod_flv_streaming",
# "mod_evasive")
[...]

Afterwards, we restart lighttpd:

/etc/init.d/lighttpd restart

3 Configuring mod_mysql_vhost

Now we log in to MySQL…

mysql -u root -p

… and create the database lighttpd:

CREATE DATABASE lighttpd;

Next we create a database user (which we name lighttpd as well) with SELECT privileges for the lighttpd database:

GRANT SELECT ON lighttpd.* TO lighttpd@localhost IDENTIFIED BY ‘secret’;
GRANT SELECT ON lighttpd.* TO lighttpd@localhost.localdomain IDENTIFIED BY ‘secret’;
FLUSH PRIVILEGES;

(Replace secret with a password of your choice.)

Then we create the domains table in the lighttpd database and leave MySQL:

USE lighttpd;

CREATE TABLE domains (
domain varchar(64) not null primary key,
docroot varchar(128) not null
);

quit;

Now we open /etc/lighttpd/lighttpd.conf and add the following mod_mysql_vhost configuration at the end of the file:

vi /etc/lighttpd/lighttpd.conf

[...]
mysql-vhost.db = "lighttpd"
mysql-vhost.user = "lighttpd"
mysql-vhost.pass = "secret"
mysql-vhost.sql= "SELECT docroot FROM domains WHERE domain='?';"
mysql-vhost.hostname = "localhost"
mysql-vhost.port = 3306

(Replace secret with the password you’ve previously set for the lighttpd MySQL user.)

Restart lighttpd:

/etc/init.d/lighttpd restart

Now it’s time to configure virtual hosts…

4 Configuring Virtual Hosts

I will now configure two virtual hosts, one for www.example.com (with the document root /var/www/www.example.com/web) and one for www.example.org (with the document root /var/www/www.example.org/web).

First, we create the document roots of both web sites (if they don’t already exist):

mkdir -p /var/www/www.example.com/web
mkdir -p /var/www/www.example.org/web

Then we log in to MySQL…

mysql -u root -p

USE lighttpd;

… and create the vhosts as follows:

INSERT INTO domains VALUES (‘www.example.com’,'/var/www/www.example.com/web/’);
INSERT INTO domains VALUES (‘www.example.org’,'/var/www/www.example.org/web/’);

We can now leave the MySQL shell:

quit;

That’s it, the vhosts are now configured and working, and no lighttpd restart is required.

To check if the vhosts are working as expected, we create an index.html file in each document root, one with the string “www.example.com” in it, the other one with the string “www.example.org”…

echo “www.example.com” > /var/www/www.example.com/web/index.html
echo “www.example.org” > /var/www/www.example.org/web/index.html

and call http://www.example.com and http://www.example.org in a browser. http://www.example.com should show www.example.com, and http://www.example.org should display www.example.org.

5 Links

mod_mysql_vhost: http://trac.lighttpd.net/trac/wiki/Docs#Optionsformod_mysql_vhost-Mysqlvirtualhostingmodule
Lighttpd: http://www.lighttpd.net
Debian: http://www.debian.org

How To Set Up WebDAV With Lighttpd On Debian Etch Page 2

admin — Thu, 13 May 2010 17:58:27 +0000

This guide explains how to set up WebDAV with lighttpd on a Debian Etch server. WebDAV stands for Web-based Distributed Authoring and Versioning
and is a set of extensions to the HTTP protocol that allow users to
directly edit files on the lighttpd server so that they do not need to
be downloaded/uploaded via FTP. Of course, WebDAV can also be used to
upload and download files.

4 Configure The Virtual Host For WebDAV

Now we create the WebDAV password file /var/www/web1/passwd.dav with the user test (the -c switch creates the file if it does not exist):

htpasswd -c /var/www/web1/passwd.dav test

You will be asked to type in a password for the user test.

(Please don’t use the -c switch if /var/www/web1/passwd.dav is already existing because this will recreate the file from scratch, meaning you lose all users in that file!)

Now we change the permissions of the /var/www/web1/passwd.dav file so that only root and the members of the www-data group can access it:

chown root:www-data /var/www/web1/passwd.dav
chmod 640 /var/www/web1/passwd.dav

Now we modify our vhost in /etc/lighttpd/lighttpd.conf so that it looks as follows:

vi /etc/lighttpd/lighttpd.conf

$HTTP["host"] == "www.example.com" { server.document-root = "/var/www/web1/web" alias.url = ( "/webdav" => "/var/www/web1/web" ) $HTTP["url"] =~ "^/webdav($|/)" { webdav.activate = "enable" webdav.is-readonly = "disable" webdav.sqlite-db-name = "/var/run/lighttpd/lighttpd.webdav_lock.db" auth.backend = "htpasswd" auth.backend.htpasswd.userfile = "/var/www/web1/passwd.dav" auth.require = ( "" => ( "method" => "basic","realm" => "webdav","require" => "valid-user" ) ) }
}

The alias.url directive makes (together with $HTTP["url"] =~ “^/webdav($|/)”) that when you call /webdav, WebDAV is invoked, but you can still access the whole document root of the vhost. All other URLs of that vhost are still “normal” HTTP.

Restart lighttpd afterwards:

/etc/init.d/lighttpd restart

5 Testing WebDAV

We will now install cadaver, a command-line WebDAV client:

apt-get install cadaver

To test if WebDAV works, type:

cadaver http://www.example.com/webdav/

You should be prompted for a user name. Type in test and then the password for the user test. If all goes well, you should be granted access which means WebDAV is working ok. Type quit to leave the WebDAV shell:

server1:~# cadaver http://www.example.com/webdav/
Authentication required for webdav on server `www.example.com’:
Username: test
Password:
dav:/webdav/> quit
Connection to `www.example.com’ closed.
server1:~#

6 Configure A Windows XP Client To Connect To The WebDAV Share

This is described on http://www.tusforyou.com/setting-up-webdav-with-apache2-on-debian-etch-p2.

Please specify the port in the WebDAV URL, e.g. http://www.example.com:80/webdav. For some strange reason this makes Windows XP accept the normal username (e.g. test) – otherwise Windows XP expects NTLM usernames (that would have the form www.example.com\test).

7 Configure A Linux Client (GNOME) To Connect To The WebDAV Share

This is described on http://www.tusforyou.com/setting-up-webdav-with-apache2-on-debian-etch-p3.

8 Links

How To Set Up WebDAV With Lighttpd On Debian Etch

admin — Thu, 13 May 2010 17:58:24 +0000

How To Set Up WebDAV With Lighttpd On Debian Etch

Version 1.0
Author: Falko Timme
Last edited 07/24/2008

This guide explains how to set up WebDAV with lighttpd on a Debian Etch server. WebDAV stands for Web-based Distributed Authoring and Versioning and is a set of extensions to the HTTP protocol that allow users to directly edit files on the lighttpd server so that they do not need to be downloaded/uploaded via FTP. Of course, WebDAV can also be used to upload and download files.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I’m using a Debian Etch server with the IP address 192.168.0.100 here.

2 Installing WebDAV

You can install lighttpd (if it’s not already installed), the lighttpd WebDAV module and the apache2-utils package (which contains the tool htpasswd which we will need later on to generate a password file for the WebDAV share) as follows:

apt-get install lighttpd lighttpd-mod-webdav apache2-utils

Afterwards, create the directory /var/run/lighttpd and make it owned by the www-data user and group. This directory will contain an SQLite database needed by WebDAV:

mkdir /var/run/lighttpd/
chown www-data:www-data /var/run/lighttpd/

Next, we enable the module mod_auth:

lighty-enable-mod auth

… and open /etc/lighttpd/lighttpd.conf to make sure that the modules mod_alias and mod_webdav are enabled in the server.modules stanza:

vi /etc/lighttpd/lighttpd.conf

[...]
server.modules= ( "mod_access", "mod_alias", "mod_accesslog",
# "mod_rewrite",
# "mod_redirect",
# "mod_status",
# "mod_evhost",
# "mod_compress",
# "mod_usertrack",
# "mod_rrdtool", "mod_webdav",
# "mod_expire",
# "mod_flv_streaming",
# "mod_evasive")
[...]

Restart lighttpd afterwards:

/etc/init.d/lighttpd restart

3 Creating A Virtual Host

I will now create a lighttpd vhost (www.example.com) in the directory /var/www/web1/web. If you already have a vhost for which you’d like to enable WebDAV, you must adjust this tutorial to your situation.

First, we create the directory /var/www/web1/web and make the lighttpd user (www-data) the owner of that directory:

mkdir -p /var/www/web1/web
chown www-data:www-data /var/www/web1/web

Then we open /etc/lighttpd/lighttpd.conf and add the following vhost to the end of the file:

vi /etc/lighttpd/lighttpd.conf

[...]
$HTTP["host"] == "www.example.com" { server.document-root = "/var/www/web1/web"
}

Afterwards we restart lighttpd:

/etc/init.d/lighttpd restart

How To Set Up WebDAV With Lighttpd On Debian Etch – Page 2