Howto's and FAQ's

OpenVPN using a tun or tap device with OpenVZ/Virtuozzo

PDF
If you want to run OpenVPN within a Virtuozzo or OpenVZ container using the tun or tap device you probably need to make a few config changes on the hardware node and the container. First of all you need to be sure that the tun module is loaded on the hardware node itself. The easiest way to check that is using lsmod:
 

Running Apache in chroot jail

PDF
Running Apache chrooted and configured right Apache and it's child processes (php, cgi scripts) cann't access anything above the ChrootDir if running as a non-root user. You can easily setup an Apache chroot jail using mod_chroot. You should keep in mind that you never create special device files, suid binaries and hardlinks with the chroot directories and do not run apache, php or perl as root.

 

How to setup Apache in a chroot jail?

In this how-to I assume you already have apache installed on your system.

Setup Apache's jail directory

Create a directory and it's subdirectories for Apache's jail;

mkdir /apachejail
mkdir -p /apachejail/var/run
mkdir -p /apachejail/home/httpd
mkdir -p /apachejail/var/www/html
mkdir -p /apachejail/tmp
chmod 1777 /apachejail/tmp
mkdir -p /apachejail/var/lib/php/session
chown -R root.root /apachejail/var/run
chown root.apache /apachejail/var/lib/php/session

Edit /etc/php.ini;

Find the line:

session.save_path = "/var/lib/php/session"

replace with:

session.save_path = "/apachejail/var/lib/php/session"

Download and install mod_chroot

As far as I know there is no mod_chroot rpm available for CentOS/RedHat

Download the latest source from http://core.segfault.pl/~hobbit/mod_chroot/dist/, and unpack the source. At the time of this writing version 0.5 is the most recent package.

cd /tmp
wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
tar -zxvf mod_chroot-0.5.tar.gz

go to the source directory, compile and install mod_chroot using apxs

cd mod_chroot-0.5
apxs -cia mod_chroot.c

Edit httpd.conf for using mod_chroot

Edit /etc/httpd/conf/httpd.conf, find the line:

PidFile run/httpd.pid

Replace with:

PidFile /var/run/httpd.pid

Add the line:

ChrootDir /apachejail

Find the line:

ServerRoot "/etc/httpd"

And add:

LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard
LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so

Disable Apache SELinux Protection

Edit /etc/selinux/targeted/booleans change or add the value for httpd_disable_trans to

httpd_disable_trans=1

Enter the following command:

setsebool httpd_disable_trans 1

Edit apache's startup script

Edit /etc/init.d/httpd

Find the lines:

stop() {
echo -n $"Stopping $prog: "

and change it to:

stop() {
/bin/ln -s /apachejail/var/run/httpd.pid /var/run/httpd.pid
echo -n $"Stopping $prog: "
In this how-to I asume you already have apache installed on your system.

Setup Apache's jail directory

Create a directory and it's subdirectories for Apache's jail;

mkdir /apachejail
mkdir -p /apachejail/var/run
mkdir -p /apachejail/home/httpd
mkdir -p /apachejail/var/www/html
mkdir -p /apachejail/tmp
chmod 1777 /apachejail/tmp
mkdir -p /apachejail/var/lib/php/session
chown -R root.root /apachejail/var/run
chown root.apache /apachejail/var/lib/php/session

Edit /etc/php.ini;

Find the line:

session.save_path = "/var/lib/php/session"

replace with:

session.save_path = "/apachejail/var/lib/php/session"

Download and install mod_chroot

As far as I know there is no mod_chroot rpm available for CentOS/RedHat

Download the latest source from http://core.segfault.pl/~hobbit/mod_chroot/dist/, and unpack the source. At the time of this writing version 0.5 is the most recent package.

cd /tmp
wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
tar -zxvf mod_chroot-0.5.tar.gz

go to the source directory, compile and install mod_chroot using apxs

cd mod_chroot-0.5
apxs -cia mod_chroot.c

Edit httpd.conf for using mod_chroot

Edit /etc/httpd/conf/httpd.conf, find the line:

PidFile run/httpd.pid

Replace with:

PidFile /var/run/httpd.pid

Add the line:

ChrootDir /apachejail

Find the line:

ServerRoot "/etc/httpd"

And add:

LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard
LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so

Disable Apache SELinux Protection

Edit /etc/selinux/targeted/booleans change or add the value for httpd_disable_trans to

httpd_disable_trans=1

Enter the following command:

setsebool httpd_disable_trans 1

Edit apache's startup script

Edit /etc/init.d/httpd

Find the lines:

stop() {
echo -n $"Stopping $prog: "

and change it to:

stop() {
/bin/ln -s /apachejail/var/run/httpd.pid /var/run/httpd.pid
echo -n $"Stopping $prog: "
 

How to set-up MySql replication

PDF

There are a number of different methods for setting up replication, and the exact method that you use will depend on how you are setting up replication, and whether you already have data within your master database.

Create a user for replication

The slaves need to connect to the master using an account granted ‘REPLICATION SLAVE’. As the username and password is stored in a plain-text file it is advisable to create a user that only has privileges for the replication.

Tags:
 

How to recover from a lost MySql root password

PDF

If you somehow lost the MySql root password it is possible to recover in just a few steps.

First stop the running MySql daemon process:

Tags:
 

Migrate from BIND to PowerDNS

PDF

To migrate from Bind to PowerDNS you have to convert and import the Bind zone files into the PowerDNS database. Together with the PowerDNS package the program zone2sql is installed. zone2sql parses the Bind config and zone files in to a SQL format which can be imported into your database.

In this example I will convert the Bind zones to a MySQL dump, but zone2sql can also be used to convert the zones to an Oracle or PostgreSQL sql file. I assume you already setup PowerDNS with the MySQL backend as published here.

Tags:
 

Prevent non-root users from logging into the system

PDF
Sometimes it can useful to prevent non-root users from logging into the system for example during a maintainance. If you, as root, create a new file /etc/nologin and write a message in it. Any non-root user is refused to login and the message written in /ect/nologin will be displayed. Change back to normal and allow other users to login again, by deleting /etc/nologin
 
Page 8 of 9

Search







You are here: Home Howtos and FAQs