Fedora 9 + VMWare server 1.0.5/6a

Step 1: Download VMWare Server files from here

If you prefer cmd line:

wget http://download3.vmware.com/software/vmserver/VMware-server-1.0.6-91891.tar.gz

Step 2: Install required packages

yum install kernel-devel-`uname -r`

If that does not work, you have to make sure that you update all of your packages (yum update) and then try it again. If it still does not work, downgrade your kernel version. Take note of whatever the most recent kernel-devel uses for the kernel #, then just do a yum install kernel-that# If you have to install a different kernel, you will have to update your grub/lilo bootloader to use your newly installed kernel. Then you will have to reboot and boot into that kernel. THEN you can do the above yum install.

yum install make kernel-devel-`uname -r` kernel-headers-`uname -r` xinetd gcc gcc-c++ perl-devel perl-ExtUtils-Embed

Extract the VMWare tarball:

tar xvfz VMware-server-*.tar.gz
cd vmware-server-distrib
./vmware-install.pl

I have had this work and I have had it fail. If it fails, you need to use the any-any patch. Some use the 115 or the 117. I have gotten both to work. I use a mix of F8 and F9 on both i386 and x64 platforms. Here is a link to the 115 and here is a link to the 117. After extracting these patches, run the runme.pl scripts to apply them. After they apply, they should automatically start the installer script. Sometimes even after the any-any update, the vmware-cmd does not compile correctly. This is OK. Its not perfect, but we can function without it.

You can get Serial Codes from here

A quick note about VM’s – every “instance” of a network card gets a new ID. The setup file for each VM appliance saves the MAC address of the network card. If you ever move the VM, or copy it, or anything that puts the device in a way that it is not the original file, it will assign it a new MAC address. However, the config file will still try to use the original MAC address. You have to comment out the MAC from the .vmx file to get the network card to re-acquire a new MAC. The safest thing to do is actually to remove all NIC’s and just re-add the ones you want.

Additionally, if your OS has knowledge of the NIC’s physical address, it will not work until it is fixed. I.E. – for Fedora 9, you have to either comment out – or update the /etc/sysconfig/network-scripts/ifcfg-eth0 portion of the file that contains the physical address (or MAC). If you don’t, then the OS will try to use the old MAC – only it will fail and the interface won’t come up and you’ll be left clueless as to why your network is fubar.

F9 Must-have programs

This is a list of programs that I must have – anytime I install F9. I’m sure this list will grow with time. I wanted to get this list officially started.

yum install:

• munin
• lm_sensors
• lm_sensors-sensord
• ntfs-3g
• httpd (Apache)
• mysql-server
• phpMyAdmin
• hddtemp
• sysstat
• procps

F9 Command list

This is just a bunch of notes that I had in a txt file that I wanted to document. Some cool commands to be familiar with.

iostat          Monitor Hard Disk I/O
vmstat          Monitor CPU Utilization
sensors         Monitor CPU / System Temps
hddtemp         Monitor HDD Temps
fuser <file>    Shows all processes accessing <file>
du -ah <folder> Shows size of all files in a folder -human readable

cat /proc/mdstat        Check Raid Status
hdparm /dev/sda         Check Drive parameters on /dev/sda

###  Raid 5 Commands ###
yum install xfs xfsprogs xfstools kmod-xfs

## Create Initial Raid
fdisk /dev/sdd
        (delete all previous partitions)
        n               New Partition
                p       Primary
                1       Partition #1
                1       Starting Block
                <enter> Max size of drive
        t               Type of partition
                fd      (or df - Linux raid autodetect)
        w               Write-out changes and exit
## Repeat for all drives in raid

## Create Raid 5
mdadm --create --verbose /dev/md2 --level=5 --auto=yes --raid-devices=3 /dev/sd[jid]1
## Wait for it to finish
watch cat /proc/mdstat
##Format the new device
mkfs.xfs -f /dev/md2
##Mount new device
mount /dev/md2 /media/raid5

Software Raid 5 – Fedora 9 style

Use fdisk to create a single primary partition on sd[cde] of type fd (linux raid)

If you create raid volume initially with all but one disk (you have to do minimum of 3 initially) – then you can see how to add a disk to the raid after the fact. At any rate – here’s how to do the initial setup. Afterwards, I’ll show you how to add a disk to the raid.

mdadm --create --verbose /dev/md2 --level=5 --auto=yes --raid-devices=3 /dev/sd[cde]1

Wait for the initial build to complete (150 minutes with 750GB drives with SATA-300, ~80MB/s)

watch cat /proc/mdstat

Install xfs File system (you can dynamically expand it without unmounting )

yum install xfsprogs xfstools kmod-xfs

Create xfs partition in the raid

mkfs.xfs -f /dev/md2

Mount it … copy some files … do with it what you will. You now have a raid 5 partition!

Expanding by 1 disk:

Create a single partition (fdisk) as before – type fd (linux raid)
Add it to the existing array as a spare

mdadm --add /dev/md2 /dev/sdf1

Grow the array from 3 to 4 disks

mdadm --grow /dev/md2 --raid-devices=4

Allow the array to reshape. (As a reference … I went from 4x 750GB drives to 5x 750GB – it took me somewhere between 7 and 8 days to reshape … I was only reshaping @ 1MB/s due to a bad SATA controller.)

When it finishes, grow the xfs to fill the newly expanded array.

xfs_grow /dev/md2

*** Note: Any time you resize your raid — be sure to re-create /etc/mdadm.conf… I have good horror stories of what happens when you don’t

cat /etc/mdadm.conf | grep -v md2 > ~/tempfile; mdadm --detail --scan | grep md2 >> ~/tempfile; mv /etc/mdadm.conf /etc/mdadm.conf.old; mv ~/tempfile /etc/mdadm.conf

OpenVPN – Bridging two net

**UPDATE**

You will need bridge-tools … `yum install bridge-utils tunctl`

So, I have finally conquered the bridging of two networks. Well, I should refine that. I have managed to get an OpenVPN server configured correctly to have my VPN client be on my VPN server’s network – not some vpn-only network. Here’s what it looks like:

Internet
|
(dhcp address from Cable)
DD-Wrt router
192.168.0.1
|
[ all of the 192.168.0.x network ]
|
192.168.0.10
Server (with OpenVPN)

On the client side I have:

Internet
|
(dhcp address from generic ISP)
Gateway
192.168.1.1
|
Client device
192.168.1.100

So what I did was – I created a tap0 device on the server and built a bridge device that bridges the eth device with the virtual device.

For the OpenVPN server, I am running Fedora 9 running kernel 2.6.25-14.fc9.i686
There are a number of places out there that help you get the stupid package installed. However, there aren’t that many that help you actually get something working when it comes to the configurations. I found that the bridge-start and bridge-stop scripts were PAINFULLY undocumented. However, their role is extremely critical when doing this in bridged mode. I will leave it to you for installing openvpn in a non-bridged fashion. Once you get that working, come back here and use my scripts to help you get it working in a bridged manner.

Here’s what my /etc/openvpn/server.conf file looks like:

port 1194
proto udp
dev tap0
;dev-node MyTap
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.10 255.255.255.0 192.168.0.21 192.168.0.29
;push "route 192.168.0.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;learn-address ./script
;push "redirect-gateway"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option WINS 192.168.0.1"
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3
;mute 20

Here’s an example of a client.conf

client
dev tap
;dev-node MyTap
proto udp
remote my-server 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
ca keys/ca.crt
cert keys/client6.crt
key keys/client6.key
ns-cert-type server
;tls-auth keys/ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20

I found that the originial bridge-start script did not include the default gateway. Since I only use a single network card on my server, this is a necessary addition. Also, my one eth interface is eth1. I normally have it just pull DHCP from my router. On my router, I have it set to always give it 192.168.0.10 based on its MAC address ( I <3 dd-wrt and host-specific dhcpd services)
Here’s my bridge-start script:

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="192.168.0.10"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.10.255"
eth_gateway="192.168.0.1"

for t in $tap; do
 openvpn --mktun --dev $t
 sleep 1
done

brctl addbr $br
sleep 1
brctl addif $br $eth
sleep 1

for t in $tap; do
 brctl addif $br $t
 sleep 1
done

ifconfig $eth 0.0.0.0 promisc up
sleep 1

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
sleep 1
route add default gw $eth_gateway

Again, since eth1 is typically dhcp – I had to add the following to make sure that when the bridge gets turned off – it still pulls dhcp. (I do not use NetworkManager – instead, I have the setting files maintained in /etc/sysconfig/network-scripts/ifcfg-eth1)
Here’s my bridge-stop script:

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
 openvpn --rmtun --dev $t
done

ifdown eth1
ifup eth1

I wanted to automatically generate a new client certificate. I also wanted to tarball up all of the necessary files that a client would need. So I came up with this file. For now -it resides in /root/bin So does bridge-start and bridge-stop
Here’s my addvpnclient.sh script

client=$1
tar=$2

if [ ! -d /etc/openvpn/dist/$client ]; then
        mkdir -p /etc/openvpn/dist/$client/keys
fi

if [ "$tar" != "no" ]; then
        cd /etc/openvpn/easy-rsa/2.0
        source ./vars
        ./pkitool $client
fi

cp /etc/openvpn/keys/ca.crt /etc/openvpn/dist/$client/keys
cp /etc/openvpn/keys/$client.key /etc/openvpn/dist/$client/keys
cp /etc/openvpn/keys/$client.crt /etc/openvpn/dist/$client/keys
cp /etc/openvpn/README /etc/openvpn/dist/$client

/etc/openvpn/client.sh $client > /etc/openvpn/dist/$client/$client.conf
cd /etc/openvpn/dist/$client
tar czvf $client-vpn.tgz *

I wanted to dynamically generate the client config file – so I also have /etc/openvpn/client.sh

client=$1
echo "
client
dev tap
;dev-node MyTap
proto udp
remote my-server 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
ca keys/ca.crt
cert keys/$client.crt
key keys/$client.key
ns-cert-type server
;tls-auth keys/ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20
"

Finally, when you do a “service openvpn start” or “service openvpn stop” it automatically finds *.conf in your /etc/openvpn folder. Also, it automatically runs scripts named “openvpn-startup” and “openvpn-shutdown” respectively. So I did the following:

ln -s /root/bin/bridge-stop /etc/openvpn/openvpn-shutdown
ln -s /root/bin/bridge-start /etc/openvpn/openvpn-startup

So now – all I have to do is hand a tgz file to a buddy and they can connect to my network and be ON THE network – not some funky vpn network that is only on the vpn devices. Sweet if you ask me … sweet. Now I’m off to apply this knowledge to my pfSense device. It is currently grabbing my neighbors open wifi on one radio and broadcasting it on a different radio. My broadcast radio is bridged to the LAN. The wifi is also encrypted – so as to protect my network. The thing that started this whole need for the VPN was the fact that I can’t set port-forwarding on the neighbor’s router. They were smart enough to change the default password, but not add encryption?!?! … anyhow, now with the pfSense box, I will have a permanent VPN tunnel back to my server which will allow me to access the network behind the pfSense box from anywhere in the world – via my server’s network. Muahaha… evil.

I forgot to mention … I added open ports to my firewall.
Here’s my current /etc/sysconfig/iptables file:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tap0 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 904 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i tap0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Also – my router that is between my openvpn server and the internet – I have port 1194 port forwarded to 192.168.0.10 (my server’s IP address).