The Gahooa Perspective » System Administration

Essentials of DNS: understand the basics well

Jason Garber — Thu, 16 Dec 2010 00:01:48 +0000

DNS stands for “Domain Name Service”. It is the mechanism in which the internet is able to map a name (eg www.sgasoftware.com) to an IP address (eg 12.34.56.78).

This writeup is not designed to be 100% technically accurate. Rather, it is designed to give a layman understanding of relevant parts of the DNS system.

Much more comprehensive information can be found here: http://en.wikipedia.org/wiki/Domain_Name_System

A bit on IP Addresses and Routing

Packets of data to move to and fro across the internet based entirely on IP Address. At every “network meeting point” on the internet, there is a router which examines all traffic to find out where it is headed, and then sends it to the next step. This process is repeated at each “network meeting point” until the traffic arrives at the destination.

There is a popular utility called “Trace Route”, which will demonstrate all of the routers that a packet of data must go through to get from where you are to where it is headed. In the following example, I ran a traceroute to www.google.com.

Notice the first step was a DNS lookup, converting www.google.com to 72.14.204.99.

c:\>tracert www.google.com

Tracing route to www.l.google.com [72.14.204.99]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.1 (our office router/gateway))

2 1 ms <1 ms <1 ms 10.1.10.1 (our cable modem (another router/gateway)

3 15 ms 13 ms 12 ms 96.179.208.1

4 9 ms 9 ms 10 ms ge-2-20-ur01.blairsville.pa.pitt.comcast.net [68.86.146.165]

5 14 ms 10 ms 9 ms te-9-1-ur01.indiana.pa.pitt.comcast.net [68.86.100.178]

6 10 ms 55 ms 30 ms te-9-3-ur01.punxy.pa.pitt.comcast.net [68.87.173.81]

7 12 ms 18 ms 19 ms te-9-1-ur01.ruralvalley.pa.pitt.comcast.net [68.86.100.122]

8 21 ms 63 ms 53 ms te-6-3-ar01.pittsburgh.pa.pitt.comcast.net [68.87.173.73]

9 28 ms 29 ms 27 ms te-3-1-0-0-cr01.chicago.il.ibone.comcast.net [68.86.90.181]

10 25 ms 28 ms 25 ms pos-1-6-0-0-pe01.350ecermak.il.ibone.comcast.net [68.86.87.130]

11 43 ms 44 ms 44 ms as15169-1.350ecermak.il.ibone.comcast.net [75.149.230.198]

12 48 ms 52 ms 58 ms 209.85.254.130

13 37 ms 39 ms 39 ms 209.85.248.222

14 36 ms 43 ms 41 ms 66.249.94.46

15 42 ms 39 ms 39 ms iad04s01-in-f99.1e100.net [72.14.204.99]

Trace complete.

In true geek fashion, after 15 hops, our packet reached 1e100.net. Google was derived from the word Googol, which is a number with 1 and 100 zeros. Henceforth, 1e100.net stands for something to that effect.

Why does this matter?

It is important to understand that computers are binary, and therefore require input to be ultimately converted to binary. An IPv4 address is simply 32 bits, but rather than presenting it as 11000000.10101000.00000000.00000001, humans find it more convenient to look at it like 192.168.0.1. However, that is still a far cry from a human readable name like mail.domain.com.

This is where DNS comes into play. DNS is a system which allows people to use names, while still providing for computers to use the numbers. Of the many benefits of DNS, it allows you to move a domain to another IP address while keeping the domain name the same.

Common Types of DNS Records

DNS records come in several types:

A record

Points to a specific IP address. ”A” stands for “Address”.

This means that appcove.com should resolve to 74.205.111.168

appcove.com. 70755 IN A 74.205.111.168

CNAME record

Points to another record. ”CNAME” stands for “Canonical Name Record”

This means that www.appcove.com should resolve to appcove.com and in turn resolve to 74.205.111.168

www.appcove.com. 86400 IN CNAME appcove.com.

MX record

Specifies a domain which will handle incoming email for the domain.

This means that mail sent to @appcove.com will be handled by APPCOVE.COM.S9A1.PSMTP.com, and if that does not work, send it to APPCOVE.COM.S9A2.PSMTP.com and so on. The weight indicates which server should be tried first — the lower the weight, the better.

appcove.com. 86400 IN MX 40 APPCOVE.COM.S9B2.PSMTP.com.

appcove.com. 86400 IN MX 10 APPCOVE.COM.S9A1.PSMTP.com.

appcove.com. 86400 IN MX 20 APPCOVE.COM.S9A2.PSMTP.com.

appcove.com. 86400 IN MX 30 APPCOVE.COM.S9B1.PSMTP.com.

NS record

Delegates a DNS zone to use the given authoritative name servers. ”NS” stands for “Name Server”.

This means that DNS for appcove.com is to be handled by either ns.rackspace.com or ns2.rackspace.com.

appcove.com. 57957 IN NS ns.rackspace.com.

appcove.com. 57957 IN NS ns2.rackspace.com.

TXT record

Specifies arbitrary text associated with a name. ”TXT” stands for “Text”

The provides a mechanism for the DNS system to be extended with different bits of text about a domain name. The following TXT record stores SPF information, used to specify what servers are allowed to send mail on behalf of appcove.com.

appcove.com.            86400   IN      TXT     "v=spf1 include:fogcreek.com include:aspmx.googlemail.com ip4:207.126.144.0/20 ip4:64.18.0.0/20 ip4:74.125.148.0/22  ~all"

DNS Propagation

DNS is a distributed system. This means that there are thousands of DNS servers scattered around the globe. Most internet providers will have their own DNS servers. Most hosting providers will have their own DNS servers. Etc…

How do they all stay in sync? They do and they don’t!

Every DNS entry has a corresponding TTL value associated with it. TTL means “time to live”. This value, expressed in seconds, states how long a given DNS entry is valid before it must be refreshed from the “authoritative” DNS server for the given domain. Typically, the TTL is set to 86,400 seconds, or 1 day.

With a TTL of 1 day, any changes to authoritative DNS records may take up to a full day (or more) to propagate around the internet. This is worth keeping in mind before you engage in any important DNS changes.

The proper way to change DNS is to first, at least 48 hours prior to the transition period, change the TTL to a very low value (like 5 minutes). It will still take at least a day for this to fully propagate to all relevant DNS servers. However, once they are all aware that the TTL is 5 minutes, they will frequently check your authoritative server for updates every 5 minutes or each time a new request comes in for one of your DNS records, whichever is longer.

In other words, DNS servers only look up what they are asked to look up. Then they retain it for the TTL period, and finally discard it (only to repeat if needed).

Authoritative DNS

Every domain must be registered with a registrar. Part of this registration information for every domain, is the DNS servers to use as “authoritative dns information” for that domain. These NS records are transmitted to the root nameserver system.

Every top level domain (com, net, edu, org, us, gb, br, uk, au, etc…) all have their own authoritative DNS servers. This information is kept in the world’s root name servers, which are currently:

a.root-servers.net. 117655 IN A 198.41.0.4

a.root-servers.net. 196594 IN AAAA 2001:503:ba3e::2:30

b.root-servers.net. 113829 IN A 192.228.79.201

c.root-servers.net. 120655 IN A 192.33.4.12

d.root-servers.net. 113757 IN A 128.8.10.90

e.root-servers.net. 115554 IN A 192.203.230.10

f.root-servers.net. 121256 IN A 192.5.5.241

f.root-servers.net. 280321 IN AAAA 2001:500:2f::f

g.root-servers.net. 113755 IN A 192.112.36.4

h.root-servers.net. 116456 IN A 128.63.2.53

h.root-servers.net. 206320 IN AAAA 2001:500:1::803f:235

i.root-servers.net. 115856 IN A 192.36.148.17

i.root-servers.net. 337685 IN AAAA 2001:7fe::53

j.root-servers.net. 119155 IN A 192.58.128.30

If you lookup the NS record for com at one of the above root servers, you will be told this:

d.gtld-servers.net. 16131 IN A 192.31.80.30

g.gtld-servers.net. 74653 IN A 192.42.93.30

f.gtld-servers.net. 111162 IN A 192.35.51.30

c.gtld-servers.net. 33590 IN A 192.26.92.30

j.gtld-servers.net. 171076 IN A 192.48.79.30

a.gtld-servers.net. 2665 IN A 192.5.6.30

a.gtld-servers.net. 8352 IN AAAA 2001:503:a83e::2:30

i.gtld-servers.net. 78083 IN A 192.43.172.30

k.gtld-servers.net. 14957 IN A 192.52.178.30

b.gtld-servers.net. 127812 IN A 192.33.14.30

b.gtld-servers.net. 168301 IN AAAA 2001:503:231d::2:30

e.gtld-servers.net. 29652 IN A 192.12.94.30

h.gtld-servers.net. 47519 IN A 192.54.112.30

l.gtld-servers.net. 41990 IN A 192.41.162.30

m.gtld-servers.net. 42456 IN A 192.55.83.30

If you lookup the NS record for appcove.com at one of the above “com” servers, you will be told this:

appcove.com. 172800 IN NS ns2.rackspace.com.

appcove.com. 172800 IN NS ns.rackspace.com.

Finally, we have the authoritative DNS servers for appcove.com. Now, if you lookup the record for www.appcove.com at ns.rackspace.com, you will be told this:

www.appcove.com. 86400 IN CNAME appcove.com.

Finally, if you lookup appcove.com at it’s authoritative server ns.rackspace.com, you will be told this:

appcove.com. 86400 IN A 74.205.111.168

Tagged: Distibuted Systems, DNS, Internet, Network, Perspective, Technology

How to force-drop a postgresql database by killing off connection processes

Jason Garber — Wed, 03 Nov 2010 14:50:04 +0000

Ever need to drop a postgresql database, but it would not let you because there are open connections to it (from a webapp or whatever)?

Quite annoying. If on a production server, and other databases are being used, restarting postgresql is a last resort, because it generates downtime for your site (even if small).

I finally took the time to scratch around and find the answer.

As a super user, to list all of the open connections to a given database:

select * from pg_stat_activity where datname='YourDatabase';

As a superuser, to drop all of the open connections to a given database:

select pg_terminate_backend(procpid) from pg_stat_activity where datname='YourDatabase';

–

Here are some references to the functions:

http://www.postgresql.org/docs/current/static/functions-admin.html#FUNCTIONS-ADMIN-SIGNAL-TABLE

http://www.postgresql.org/docs/8.4/static/monitoring-stats.html#MONITORING-STATS-VIEWS-TABLE

Tagged: Drop Database, Kill Process, PostgreSQL, Process

Ubuntu Post-Install tips…

Jason Garber — Mon, 14 Jun 2010 21:10:51 +0000

I received this from a friend, and thought I would post it here in case anyone would find it useful.

After Installing Ubuntu, basically I do this:

Go to:
System -> Administration -> Software Sources -> Other Sofware, and enable partner repository.

After that, we can this on a Terminal:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install ubuntu-restricted-extras
sudo /usr/share/doc/libdvdread4/install-css.sh

Tagged: Ubuntu, Ubuntu Partner Repositories, Ubuntu Setup

PostgreSQL Dump and Restore Notes

Jason Garber — Mon, 17 May 2010 03:10:59 +0000

The pg_dump and pg_restore commands provide excellent flexibility in storing a compressed dump file, and selectively restoring any part of it.

I’ve found that dropping and re-creating the target database is the cleanest way to restore a dumpfile — no stray relations left to cause trouble.

Unless you own all of the objects being restored, you may need to be SUPERUSER in order to have a successful restore.

The custom dump format is quite useful. Unlike the normal sequence of SQL statements you may be used to from mysqldump (and pg_dump as well), the –format=custom option will create a compressed archive file (internally a tar file) that can be selectivly read with pg_restore. That flexibility could come in handy if you *just* need the schema from 1 table, or *just* the data from another table.

Dump:
pg_dump –format=custom -U jason_super MyDatabase > MyDatabase.pgdump

Restore
pg_restore –exit-on-error –clean –dbname=MyDatabase MyDatabase.pgdump

Get all of the SQL
pg_restore TMTManage_2.pgdump | more

Get some of the SQL
pg_restore –schema=ACRM –table=Admin TMTManage_2.pgdump | more

Tagged: database backup, pg_dump, pg_restore, PostgreSQL

nginx restart error

Jason Garber — Thu, 25 Feb 2010 03:32:10 +0000

Was playing around with nginx on Centos 5 (EPEL package).

Most of the time I ran:

service nginx restart

I would get this message in the /var/log/nginx/error.log file:

panic: MUTEX_LOCK (22) [op.c:352].

After some hunting around, it appears to be a known bug in nginx (perhaps perl in nginx?)… Anyway, a simple workaround is to do this:

service nginx stop
service nginx start

Or, simply edit /etc/init.d/nginx, and add the sleep 1 line:

51 restart() {
52     configtest || return $?
53     stop
54     sleep 1
55     start
56 }

Nice workround!

Tagged: nginx, nginx configuration, nginx error

Example Automated MySQL Backup Script

Jason Garber — Sat, 26 Dec 2009 18:23:21 +0000

Rather than use --all-databases, which will prevent you from being able to selectively restore any single database, consider the following:

Ideally, you should have a daily backup, with some history. It should be bulletproof (--force), it should be logged (>> ...log), it should be compressed (| gzip), it should keep separate copies of each database, and it should automatically pick up any databases that are added.

Consider, rather, a shell script like this:

#!/bin/bash

Host=server.domain.com
BDir=/home/backup/backup/mysql

Dump="/usr/bin/mysqldump --skip-extended-insert --force"
MySQL=/usr/bin/mysql

Today=$(date "+%a")

# Get a list of all databases
Databases=$(echo "SHOW DATABASES" | $MySQL -h $Host)

for db in $Databases; do
        date=`date`
        file="$BDir/$Host-$db-$Today.sql.gz"
        echo "Backing up '$db' from '$Host' on '$date' to: "
        echo "   $file"
        $Dump -h $Host $db | gzip > $file
done

Which is assuming that you have a file ~/.my.cnf (chmod 600), that has:

[client]
user = "BACKUP"
password = "SOMEPASS8342783492"

Make sure that whatever user you are using for BACKUP has this grant statement:

GRANT
  SELECT, SHOW VIEW ON *.*
  TO BACKUP@localhost
  IDENTIFIED BY 'SOMEPASS8342783492';

So simply add this to a nightly cronjob, and you have a daily backup that rotates each 7 days week.

0 3 * * *   backup-mysql >> backup-mysql.log 2>> backup-mysql.log

The backup directory then contains:

-rw-r--r-- 1 backup backup 2217482184 Sep  3 13:35 base.appcove.net-VOS4_0-20090903.sql.gz
-rw-rw-r-- 1 backup backup 2505876287 Dec 25 00:48 base.appcove.net-VOS4_0-Fri.sql.gz
-rw-r--r-- 1 backup backup 2500384029 Dec 21 00:48 base.appcove.net-VOS4_0-Mon.sql.gz
-rw-r--r-- 1 backup backup 2506849331 Dec 26 00:48 base.appcove.net-VOS4_0-Sat.sql.gz
-rw-r--r-- 1 backup backup 2499859469 Dec 20 00:48 base.appcove.net-VOS4_0-Sun.sql.gz
-rw-rw-r-- 1 backup backup 2505046147 Dec 24 00:48 base.appcove.net-VOS4_0-Thu.sql.gz
-rw-rw-r-- 1 backup backup 2502277743 Dec 22 00:48 base.appcove.net-VOS4_0-Tue.sql.gz
-rw-r--r-- 1 backup backup 2504169910 Dec 23 00:48 base.appcove.net-VOS4_0-Wed.sql.gz
-rw-r--r-- 1 backup backup   76983829 Dec 25 00:49 base.appcove.net-VOS4_Mail_0-Fri.sql.gz
-rw-r--r-- 1 backup backup   76983829 Dec 21 00:49 base.appcove.net-VOS4_Mail_0-Mon.sql.gz
-rw-r--r-- 1 backup backup   76983829 Dec 26 00:49 base.appcove.net-VOS4_Mail_0-Sat.sql.gz
-rw-r--r-- 1 backup backup   76983829 Dec 20 00:48 base.appcove.net-VOS4_Mail_0-Sun.sql.gz
-rw-rw-r-- 1 backup backup   76983829 Dec 24 00:49 base.appcove.net-VOS4_Mail_0-Thu.sql.gz
-rw-rw-r-- 1 backup backup   76983829 Dec 22 00:49 base.appcove.net-VOS4_Mail_0-Tue.sql.gz
-rw-r--r-- 1 backup backup   76983829 Dec 23 00:49 base.appcove.net-VOS4_Mail_0-Wed.sql.gz
-rw-r--r-- 1 backup backup  304803726 Dec 25 00:49 base.appcove.net-WeSell_0-Fri.sql.gz
-rw-r--r-- 1 backup backup  303480087 Dec 21 00:49 base.appcove.net-WeSell_0-Mon.sql.gz
-rw-r--r-- 1 backup backup  304710121 Dec 26 00:49 base.appcove.net-WeSell_0-Sat.sql.gz
-rw-r--r-- 1 backup backup  303791294 Dec 20 00:49 base.appcove.net-WeSell_0-Sun.sql.gz
-rw-rw-r-- 1 backup backup  305315415 Dec 24 00:49 base.appcove.net-WeSell_0-Thu.sql.gz
-rw-rw-r-- 1 backup backup  302516217 Dec 22 00:49 base.appcove.net-WeSell_0-Tue.sql.gz
-rw-r--r-- 1 backup backup  303314217 Dec 23 00:49 base.appcove.net-WeSell_0-Wed.sql.gz
-rw-r--r-- 1 backup backup     135301 Dec 25 00:30 dc40.appcove.net-mysql-Fri.sql.gz
-rw-r--r-- 1 backup backup     135301 Dec 21 00:30 dc40.appcove.net-mysql-Mon.sql.gz
-rw-r--r-- 1 backup backup     135301 Dec 26 00:30 dc40.appcove.net-mysql-Sat.sql.gz
-rw-r--r-- 1 backup backup     135301 Dec 20 00:30 dc40.appcove.net-mysql-Sun.sql.gz
-rw-rw-r-- 1 backup backup     135301 Dec 24 00:30 dc40.appcove.net-mysql-Thu.sql.gz
-rw-rw-r-- 1 backup backup     135301 Dec 22 00:30 dc40.appcove.net-mysql-Tue.sql.gz
-rw-r--r-- 1 backup backup     135301 Dec 23 00:30 dc40.appcove.net-mysql-Wed.sql.gz

Tagged: backup, Backup Script, MySQL, System Administration

Freeky Bug

Jason Garber — Sun, 23 Aug 2009 03:38:52 +0000

Ever have one of those bugs that customers complain about, but you just cannot reproduce it? Here is a good one…

Customers were complaining about being logged out when clicking a download link.

This particular setup is a Cisco CSS 11501 series load balancer with 2 Dell Poweredge web servers sitting behind it. Each webserver is running apache, as well as an application server (python) which handles authentication and processing for THAT server.

For weeks, I could not reproduce this bug. So tonight when I finally got bit by it (at home), I was clueless for a while. The code is so simple. A simple key lookup in a simple dictionary, yet it just was not making sense.

Here is the story:

A while ago, we were having problems with Internet Explorer downloading content over SSL. This turns out to be a common problem with IE, so to fix it, I caused the downloads to not use SSL, which is more efficient anyway.

We use a cisco hardware load balancer which balances incoming requests to different backend servers. It has a feature called STICKY SOURCE IP, which means that any connections routed from the same IP to the same site will be delivered to the same backend server. This is nice, because you are always visiting the same server.

So as it turns out, by turning the download SSL off, the load balancer was using another “site” definition to handle the DOWNLOAD request. STICKY SOURCE IP was out the window, and the request was being passed back to a “random” webserver.

About 50% of the time, users (like me tonight) were tossed to the other server, which knew nothing about the user login. That is why it was complaining about the “WB4_App::$DSEG and/or WB4_App::$AuthToken must be set in order to contact the applications server.” error message, which is not one that should normally be shown.

To make matters worse, our IP address at work was apparently always using the same server, so I could not reproduce the problem. I’m lucky that it happened to me at home, or I would still be banging my head against the desk…

Tagged: Fail Bug, Load Balancing

Interesting Thoughts on Cloud Server Performance

Jason Garber — Sat, 01 Aug 2009 21:47:29 +0000

Apache load testing on a Cloud Server – Jason – 7/31/2009

I recently created a cloud server for a wordpress blog, and configured it to the point that the blog was working OK. Then I decided to check the performance aspects of the server, as it was a small 256 MB + 10GB machine.

Using apachebench (ab), I ran some load tests on the blog home page. The server choked to death. It was swapping so bad, that RackSpace Cloud sent me this email:

This is an automatic notification to let you know that your Cloud Server, city.appcove.com, is showing a considerable amount of consistent swapping activity. Quite often this is an indicator that your application or database are not as efficient as they could be. It also may indicate that you need to upgrade your Cloud Server for more RAM.

That’s strange…

I found that the response rate was:

4 requests per second, 10 concurrent connections

When the concurrency was raised to 50, the server died. It took 10 minutes for it to calm down enough that I could LOG IN and KILL apache.

–

So upon further investingation, I found that the default httpd.conf configuration was WAY TOO LARGE:

We’re only working with 256 MB ram here, so if each apache process takes up any amount of memory at all, we have a low limit.

StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000

Only after drastically reducing the configuration to the following, did we get reasonable performance:

StartServers 4
MinSpareServers 2
MaxSpareServers 4
ServerLimit 4
MaxClients 4
MaxRequestsPerChild 4000

As it turns out, the performance went up considerably:

16 requests per second, 50 concurrent connections

Still, I thought that it could get better. So I looked into installing some PHP opcode caching software.

http://www.php.net/manual/en/intro.apc.php

The Alternative PHP Cache (APC) is a free and open opcode cache for PHP. Its goal is to provide a free, open, and robust framework for caching and optimizing PHP intermediate code.

As it turns out, it was easy to install.

# yum install php-pecl-apc

And after restarting apache:

47 requests per second, 50 concurrent connections

Even during this load test, the site was still responsive from a web browser.

Not bad for a cheap little Cloud Server, eh?

Tagged: AB, Apache, Benchmarking, Cloud Server, Performance

Updating a cert on the Cisco 11500 Series Content Services Switches (CSS)

Jason Garber — Tue, 07 Apr 2009 03:21:52 +0000

Having recently moved some of our hosting infrastructure to the excellent Rackspace Platform group, we inherited the management of the Cisco 11500 Series Content Services Switches (CSS), which we use for general load balancing + ssl termination.

As a side note, it’s really powerful, fast, and well, plain nice. Not having to manage SSL certs on each apache instance is really nice, and all the LAN communication is done over plain old HTTP.

This blog post is a regurgitation of some notes I took internally. Perhaps someone who finds themselves managing this device will benefit…

The task at hand was re-issuing and updating one of our primary wildcard certificates that powers a lot of subdomains.

The first step is to generate the key, csr, and crt…

All these files should be:

Named the same as the domain that SSL is being generated for.
use WILD for a wildcard subdomain
Use this format “www.domain.com-0810.key”, where 08 is the from year and 10 is the to year
(the short version is because of name length limits on the CSS)

Start by generating the key and csr

This should be done in the ciscoftp role under the ~/load directory

# openssl genrsa -out WILD.vosecure.com-0810.key 1024
# openssl req -new -key WILD.vosecure.com-0810.key -out WILD.vosecure.com-0810.csr

Then get the certificate issued by (global sign)

Put the certificate into the the ~/load directory. When done, it should look like:

-rw-rw-r-- 1 ciscoftp ciscoftp  3139 Apr  6 15:59 WILD.vosecure.com-0810.crt
-rw-rw-r-- 1 ciscoftp ciscoftp   773 Apr  6 15:49 WILD.vosecure.com-0810.csr
-rw-rw-r-- 1 ciscoftp ciscoftp   883 Apr  6 15:47 WILD.vosecure.com-0810.key

Put the crt and key onto the load balancer

To do this, use the “copy command” on the load balancer

20132-201292# copy ssl ftp base import WILD.vosecure.com-0810.crt PEM "rack"
20132-201292# copy ssl ftp base import WILD.vosecure.com-0810.key PEM "rack"

Then make the associations...

20132-201292# config
20132-201292(config)# ssl associate cert WILD.vosecure.com-0810.crt WILD.vosecure.com-0810.crt
20132-201292(config)# ssl associate cert WILD.vosecure.com-0810.key WILD.vosecure.com-0810.key

Now, it’s time to install it. Requires SSL downtime!

Suspend the SSL content rule
Suspend the SSL service
Suspend the SSL proxy list
Run the updates
Activate the SSL proxy list
Activate the SSL service
Activate the SSL content rule

Here are the exact commands:

20132-201292# config
20132-201292(config)# owner vosecure.com
20132-201292(config-owner[vosecure.com])# content 74.205.111.161-ssl
20132-201292(config-owner-content[vosecure.com-74.205.111.161-ssl])# suspend

20132-201292# config
20132-201292(config)# service ssl-service
20132-201292(config-service[ssl-service])# suspend

20132-201292# config
20132-201292(config)# ssl-proxy-list ssl-proxy

In the following commands, we remove the whole ssl-server so that it shows up at the bottom in one concise unit. Otherwise, the startup-config and running-config become fragmented.

20132-201292(config-ssl-proxy-list[ssl-proxy])# suspend
20132-201292(config-ssl-proxy-list[ssl-proxy])# no ssl-server 6
20132-201292(config-ssl-proxy-list[ssl-proxy])# ssl-server 6
20132-201292(config-ssl-proxy-list[ssl-proxy])# ssl-server 6 rsakey WILD.vosecure.com-0810.key
20132-201292(config-ssl-proxy-list[ssl-proxy])# ssl-server 6 rsacert WILD.vosecure.com-0810.crt
20132-201292(config-ssl-proxy-list[ssl-proxy])# ssl-server 6 vip address 192.168.1.161
20132-201292(config-ssl-proxy-list[ssl-proxy])# ssl-server 6 cipher rsa-with-rc4-128-sha 192.168.1.161 81
20132-201292(config-ssl-proxy-list[ssl-proxy])# active

20132-201292# config
20132-201292(config)# service ssl-service
20132-201292(config-service[ssl-service])# active

20132-201292# config
20132-201292(config)# owner vosecure.com
20132-201292(config-owner[vosecure.com])# content 74.205.111.161-ssl
20132-201292(config-owner-content[vosecure.com-74.205.111.161-ssl])# active

Test test test.  Firefox, IE, Chrome...

20132-201292# copy running-config ftp base running-config

Review changes with git diff

20132-201292# write memory

20132-201292# copy startup-config ftp base startup-config

And… Here is the git diff

diff --git a/load/startup-config b/load/startup-config
index 7042490..36fbbaa 100644
--- a/load/startup-config
+++ b/load/startup-config
@@ -1,4 +1,4 @@
-!Generated on 04/06/2009 16:05:48
+!Generated on 04/06/2009 21:51:02
!Active version: sg0810205

@@ -64,6 +64,8 @@ configure
+  ssl associate rsakey WILD.vosecure.com-0810.key WILD.vosecure.com-0810.key
+  ssl associate cert WILD.vosecure.com-0810.crt WILD.vosecure.com-0810.crt

!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssl-proxy
-  ssl-server 6
-  ssl-server 6 rsakey vosecure.com(080421-04300)-key
-  ssl-server 6 rsacert vosecure.com(080421-04300)-cert
-  ssl-server 6 vip address 192.168.1.161
-  ssl-server 6 cipher rsa-with-rc4-128-sha 192.168.1.161 81
@@ -146,6 +141,11 @@ ssl-proxy-list ssl-proxy
+  ssl-server 6
+  ssl-server 6 rsakey WILD.vosecure.com-0810.key
+  ssl-server 6 rsacert WILD.vosecure.com-0810.crt
+  ssl-server 6 vip address 192.168.1.161
+  ssl-server 6 cipher rsa-with-rc4-128-sha 192.168.1.161 81
active

Tagged: Cisco CSS, SSL Certificates, System Administration

I highly recommend yum + createrepo + rpmbuild

Jason Garber — Sun, 08 Mar 2009 05:30:00 +0000

As I was discussing lightly before, I have recently been involved in building quite a few RPMs for our server clusters at AppCove.

Where we have arrived:

Our (new) primary production cluster consists of multiple RedHat Enterprise Linux 5 boxes in different capacities (webserver, appserver, database master, database slave, etc…).

Each machine is registered with 3 yum repositories:

RHEL (RedHat Enterprise Linux)
EPEL (Extra Packages for Enterprise Linux)
ACN (AppCove Network)

All of our custom software packages and custom builds of open source software are placed into individual RPMs, and entered into our ACN repository.

From there, it is a snap to update any given server with the correct version of the software that server needs.

We have a dedicated build area, versioned with git, that is used to build and package all of the custom software that is needed.

(note, RPMs are not used for web application deployment — rsync via ssh is used for that)

Recommendation:

Having worked through the process from start to finish, I must say that I would highly recommend the following tools to anyone who is responsible for RedHat Enterprise, Centos, or Fedora system administration.

git – to keep your .spec files versioned
rpmbuild – to build the rpms
createrepo – to create your very own yum repository
apache – to serve the yum repository
yum – to obtain, install, and upgrade your rpms

Additionally, if you are using RedHat Enterprise or Centos, I would highly recommend using Extra Packages for Enterprise Linux (EPEL) to get a few of those “other” packages that don’t come with your OS (git, for example).

–
Learning how to build RPMs was a fairly steep curve. But it wasn’t long. It is one of those things that if you know it you say “that’s easy” and if you don’t you say “what the ???“

yum+rpm was invented (I assume) to make life easier for countless system administrators and software publishers. So it’s not the kind of thing that everyone is involved in.

I was a bit tough to figure out the caveats of how to correctly build RPM’s that work. The documentation is a bit sparse. A bit here and a bit there.

What are the benefits?

Many. Let me list a few.

Your system stays really clean. With RPMs, you can uninstall everything you installed without leaving extra files laying around.

Upgrades are a snap. Once you have registered your own yum repository on a system, you can upgrade a given package by running:

yum upgrade your-package

All your systems can be on the same “page”. It is very easy, using yum, to ensure that all of your systems are using the exact same version of software.

Custom builds are super easy to maintain. We custom-compile php, python, and various other software. Once the .spec files are in place, all of your software can be re-packaged with a single command.

In our specific case, we wanted to have the memcached client statically compiled into PHP. With a few extra commands in the .spec file, it was a snap to pull in the source from pecl, and update `configure` to take it into account.

All builds can take place in one place. With one set of documentation, one consistent set of development tools, etc… We have a user called `build` on one of the hosts that is specifically used for building all of the RPMs.

Where to learn?

The best way to learn, as usual, is to jump in and figure it out. There is some really good documentation buried in the rpm.org site. It is a book called Maximum RPM, origninally published by redhat. The current snapshot of the book is available online.

http://www.rpm.org/max-rpm-snapshot/

Google is another good resource, depending on what it is you are looking for.

Tagged: Apache, EPEL, Linux, RHEL, RPM, System Administration, YUM