Archy's Blog

We'll be working on the Servers that are surrounded by the continous lines in this drawing: Most of the Setup is already done, from here on out the heavylifting will be done from the installer. But first, there's still a few small things left to do: getting the installation artifacts. Specifically, I'm talking about these artifacts that still need to be downloaded: fedora coreos image openshift-installer openshift-client helm butane Since we've set up a shared-storage for the webservers that will host these files, they will only need to be downloaded once and can be served from the interal share. I'll download all the artifacts on one of the helper nodes: [archy@helper01 ~]$ sudo -Hiu root [root@helper01 ~]# curl -4kLo '/var/www/html/okd/fcos-39.iso' -X 'GET' -H 'Accept: application/octet-stream' -H 'User-Agent: curl/7.76.1' 'https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/39.20240210.3.0/x86_64/fedora-coreo...

We'll be working on the Servers that are surrounded by the continous lines in this drawing: The HTTPD Setup for this setup is only for sharing installer required files, meaning I'll barely use any features and leave the default config in place for most things. First, install httpd: [archy@helper01 ~]$ sudo dnf -4y --refresh install httpd Now, let's edit the httpd config and change the default ports since they're already in use by HAProxy for the 'http-ingress' and 'https-ingress' services: [archy@helper01 ~]$ sudo sed -i 's/Listen 80/Listen 8080/g' /etc/httpd/conf/httpd.conf [archy@helper01 ~]$ sudo sed -i 's/Listen 443/Listen 8443/g' /etc/httpd/conf/httpd.conf Also, edit the dummy ssl config to listen on Port 10443 to ensure there are no conflics with port bindings on reboots: [archy@helper01 ~]$ sudo sed -i 's/Listen 443/Listen 10443/g' /etc/httpd/conf.d/ssl.conf Using Port 10443/tcp will also require adding the ...

So recently after the update to Foreman 3.5 and Katello 4.7, I was not able to register hosts to foreman during the kickstart installation and the automatic installation returned a 403 forbidden error. Forbidden errors usually point to permissions issues on the files being accessed but let's check the logs first: [root@katello01 ~]# tail -n 5 /var/log/httpd/foreman_error.log [Wed Jan 25 21:44:42.163317 2023] [core:error] [pid 73542:tid 140108057532160] (13)Permission denied: [client 172.31.10.138:60944] AH00132: file permissions deny server access: /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm The logs confirm it's a permission issue, so change the permissions of the files to '644' if they aren't already. [root@katello01 ~]# find /var/www/html/pub -maxdepth 1 -type f -name '*katello-ca-consumer*' ! -perm 644 -exec chmod 644 {} \; You will not need to restart httpd for this to take affect. Provisioning VMs should now be working again. Feel ...

By default, zabbix runs on http and sends all login data in cleartext which is not ideal in terms of security. This is a short writeup on how to configure the zabbix-frontend to run on https. First up, you'll need a certificate. This can be obtained from your internal CA or you can generate a self-signed certificate using this handy command: [archy@zabbix ~]$ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/pki/tls/private/zabbix.archyslife.lan.key -out /etc/pki/tls/certs/zabbix.archyslife.lan.cert Now that you've got the certificate, reconfigure httpd to also listen on port 443. Add this line to /etc/httpd/conf/httpd.conf: [archy@zabbix ~]$ sudo vim /etc/httpd/conf/httpd.conf Listen 443 Now, let's configure the zabbix virtualhost. The virtualhost config is a slightly altered version of the default version provided by zabbix. [archy@zabbix ~]$ sudo vim /etc/httpd/conf.d/zabbix.conf Alias /zabbix /usr/share/zabbix <VirtualHost *:443>...

If you happen to have a sufficient connection ( requirements ) and enough resources to spare, I'd encourage you to think about hosting a mirror server for one of your favorite projects. In my case, I will demonstrate the creation of a public mirror for centos in my local LAN environment. Software you will need: tmux rsync A webserver of your choice (I will use nginx) First up, let's create the basic directory structure for serving the files. My basic webroot will be /srv/mirror and the specific synced content will reside in subdirectories so that the structure looks as follows: /srv/  └── mirror    ├── centos    ├── epel    └── whatever First, create the webroot and from here on out, rsync will do the rest. [archy@repo01 ~]$ mkdir /srv/mirror [archy@repo01 ~]$ mkdir -p /etc/nginx/{sites-available,sites-enabled} I will be using rsync to sync the content every 4 hours. This will lead to this line in your crontab: 0 *...

NGINX is a lightweight webserver with much more features than just being a webserver, but I'm just going to dig a bit deeper into the webserver functionality for now. As the title says, this is about redirecting traffic from http to https using nginx. I'll be hosting the site on the nginx directly. This is how a simple config for serving static html might look like: [archy@websrv ~]$ sudo cat /etc/nginx/sites-available/http_example.com.conf server { listen 80; server_name www.example.com; root /var/www/html; index index.html index.htm index.nginx-debian.html; location / { try_files $uri $uri/ = 404; } } If you want to redirect traffic from http to https, you'll have to do just minor changes to the config: [archy@websrv ~]$ sudo cat /etc/nginx/sites-available/http_example.com.conf server { listen 80; server_name ...

I recently decided to change my internal monitoring at home from nagios to Zabbix. The main reason was that I won't have to write config files with zabbix. I used a raspberry pi 3 running raspbian 9 which I had idling around and for homeuse this should be enough since I will only monitor around 4-5 devices using the agent. The shown steps should be the same on a updated debian9 system. Anyway, I'd suggest to push the database (in my case postgresql) to a separate HDD or anything else not on the sd-card since the db will have a lot of write-cycles which will tear the flash down very quickly. I checked the internet for some good HowTo's but even the documentation on the zabbix page was missing some information. So I decided to write down the steps it took me to get up and running with zabbix. First you'll have to install the zabbix-server-pgsql package and if you want the webfrontend, also install the zabbix-webfrontend-php package. [archy@zabbix ~]$ sudo apt-...

The apache webserver is currently (at the date of writing this (08/2018)) the most popular web server for serving content on the internet. The Functionality we'll look at in this article is called 'Virtual Hosts'. A virtual host is essential another domain running on the same server instance of apache. For this demonstration, I'm going to use a CentOS 7.5. First, update your system: [archy@websrv ~]$ sudo yum -y update Next install apache on the server: [archy@websrv ~]$ sudo yum -y install httpd By default, the webserver will not start on boot so we'll change that and start it for now: [archy@websrv ~]$ sudo systemctl enable httpd.service [archy@websrv ~]$ sudo systemctl start httpd.service By now your webserver is already serving the default-welcome page. This can be checked by curl or simply pointing your browser to the server's address. But since I don't have any firewall-rules set up yet, I'm going to use cur...