Backing up ecryptfs on an LV

Because I know I will forget this in the future:

# create the LV snapshot
hodor ~ # lvcreate -L5G -s -n backup-home /dev/hodor/home
  Logical volume "backup-home" created

# create the mount point and mount the snapshot
hodor ~ # mkdir /mnt/blah
hodor ~ # mount /dev/hodor/backup-home /mnt/blah

# mount ecryptfs and go to where it tells you to go
hodor ~ # ecryptfs-recover-private /mnt/blah/.ecryptfs/david/.Private/
INFO: Found [/mnt/blah/.ecryptfs/david/.Private/].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Inserted auth tok with sig [<OMITTED>] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.UahEKdmV].
hodor ~ # cd /tmp/ecryptfs.UahEKdmV/

# backup the damn thing
hodor ecryptfs.UahEKdmV # tar --one-file-system --exclude=.Private --exclude=.cache -pScvzf /home/david/homebackup.tar.gz .

# now clean up this mess
hodor ecryptfs.UahEKdmV # cd
hodor ~ # umount /tmp/ecryptfs.UahEKdmV
hodor ~ # umount /mnt/blah
hodor ~ # rmdir /mnt/blah
hodor ~ # lvremove /dev/hodor/backup-home 
Do you really want to remove and DISCARD active logical volume backup-home? [y/n]: y
  Logical volume "backup-home" successfully removed

Then throw the backup somewhere. Done.

.bashrc goodies

Here are a couple of goodies I have in my .bashrc to make my life easier. I’ll probably add some more later.

function speed-test {
        # Curls the given address and outputs some nice metrics. Nice for finding where something is slowing things down.
        if [[ $1 ]]; then
                curl -Lw "DNS Lookup: %{time_namelookup} seconds \nRedirects: %{time_redirect} seconds with %{num_redirects} redirects \nFirst Byte: %{time_starttransfer} seconds \nConnect Time: %{time_connect} seconds \nTotal Time: %{time_total} seconds \n" -so /dev/null $1
                echo -e "Usage: $FUNCNAME <url>\nTests and displays HTTP metrics for given URL."

function verify-ssl {
        # Gets information about a given cert. Can be ran against a file, a host, or interactively.
        if [ -z $1 ]; then
                OUTPUT=`openssl x509 -text -noout`
        elif [ -a $1 ]; then
                echo "Found file $1, assuming it's the cert to tested." 
                OUTPUT=`openssl x509 -in $1 -text -noout`
                echo "Assuming input is a hostname. Testing on port 443."
                OUTPUT=`openssl s_client -connect $1:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | openssl x509 -text -noout`

        echo "$OUTPUT" | grep "Not Before" -C 2
        echo "$OUTPUT" | grep "Alternative Name" -C 1

# Just echos hodor.
alias hodor='echo hodor'

Happy hacking!

All About Nova-Agent (well, on linux that is)

If you have a Linux Cloud Server with Rackspace, you may notice a couple extra processes that might not exist on a stock build of that distro on physical hardware. For example, here’s what’s in /etc/rc3.d/ on a fresh Debian build:

# ls -l /etc/rc3.d/
total 4
-rw-r--r-- 1 root root 677 Jan  1  2011 README
lrwxrwxrwx 1 root root  17 May  2  2011 S01rsyslog -> ../init.d/rsyslog
lrwxrwxrwx 1 root root  14 May  2  2011 S01sudo -> ../init.d/sudo
lrwxrwxrwx 1 root root  31 May  3  2011 S01xe-linux-distribution -> ../init.d/xe-linux-distribution
lrwxrwxrwx 1 root root  15 May  2  2011 S02acpid -> ../init.d/acpid
lrwxrwxrwx 1 root root  14 May  2  2011 S02cron -> ../init.d/cron
lrwxrwxrwx 1 root root  20 Jul 20  2011 S02nova-agent -> ../init.d/nova-agent
lrwxrwxrwx 1 root root  13 May  2  2011 S02ssh -> ../init.d/ssh
lrwxrwxrwx 1 root root  18 May  2  2011 S03bootlogs -> ../init.d/bootlogs
lrwxrwxrwx 1 root root  18 May  2  2011 S04rc.local -> ../init.d/rc.local
lrwxrwxrwx 1 root root  19 May  2  2011 S04rmnologin -> ../init.d/rmnologin
lrwxrwxrwx 1 root root  23 May  2  2011 S04stop-bootlogd -> ../init.d/stop-bootlogd

The two extra items here are xe-linux-distribution and nova-agent, which are essential for the cloud part of your Rackspace server to function correctly. Otherwise you pretty much just have a VM. The goal of this guide is to give an overview on what these two services do, common things that can go wrong with them, and how to fix it. Read more »

Authenticating against Rackspace Cloud Identity Service v2.0

As the product portfolio of Rackspace Cloud continued to grow, it became evident that it was necessary to revamp the authentication process to provide better information about service endpoints through the API. If you’re familiar with the first version of the authentication process, you may recall that it doesn’t return any information regarding service endpoints beyond legacy Cloud Servers and Cloud Files, and you had to search through the API documentation locate your service endpoint. The new Cloud Identity Service API returns all information about service endpoints available to a customer.
Read more »

UFW – We can rebuild him. We have the technology.

So say you have UFW (uncomplicated firewall) installed on your server and you accidentally issue “iptables -F” and kill all of your networking. “No worries,” you think, “I can just restart UFW.” Except you find that after you issue “ufw disable; ufw enable” that it still does not work. Welp, crap. You’re hosed now. Have no fear, fellow sysadmin! Rescue is on the way. Read more »

Configuring SSL Termination on Rackspace Cloud Load Balancers

Rackspace Cloud recently introduced SSL termination on Cloud Load Balancers. As of right now, there is no way to implement this feature through the control panel and it is only available via the API. This tutorial will guide you through how to setup SSL termination via the API.

Things you will need:

  • Your private key
  • Your certificate
  • Your CA’s intermediate certificate (optional, but recommended)
  • curl
  • tidy (optional, but it makes reading the return XML much nicer)
  • SSL termination API documentation

Read more »

Net-install a custom linux distro on Cloud Servers

I originally posted this article over at Failverse, but I figured I should have it on my own blog as well. This guide may be a little dated as Rackspace has updated their host servers to utilize a newer version of Xen. Your mileage may vary.

This guide will walk you through installing a custom linux distro to Rackspace Cloud Servers without the need of taring up a file system from a donor box. This particular guide is specific to openSuse, but the same method can be used to install other distros that support automated/remote install.

This process is entirely unsupported by Rackspace.

First, some documentation before we get started:

Read more »

Creating a Non-standard Size Bootable Floppy Image for PXE Boot

I originally posted this article over at Failverse, but I figured I should have it on my own blog as well.

The majority of motherboard manufactures still only allow you to update your BIOS either from within Windows, from a USB stick within the BIOS itself, or from a floppy with DOS. The first option doesn’t work with a linux box for obvious reasons. While the second option is nice for updating one box, it quickly becomes a hassle when you have an entire rack you need to update. And the third option is antiquated by any meaning of the word… or is it? While the days of floppies are long gone, the reign of the floppy image is still going strong in the world of PXE boot.

The biggest limitation of a floppy image is easily its size. 1.44MB is almost useless in today’s world of terabyte hard drives. Since BIOS images take up about 1MB, that leaves room for not much else. Meaning no scripting, no fancy menus, just the flasher program and your BIOS image. One of the most common methods around this limitation is to offsite your BIOS images to a samba share and instead use the 1.44MBs of space for network utilities. While this does work fine, it brings back bad memories of networking in DOS that I’d rather not experience again. Instead, I’ll walk you through how to expand a floppy image to whatever size is comfy for you, and most importantly, keep it bootable.
Read more »