. '''To [[SystemAdministration/Systems|Systems Overview]]''' - '''To Software''' '''[[Software|Software]]''' - '''To Software-Assessment - ''' '''[[Software/Assessment|Software/Assessment]]''' ---- ||<#CCFFCC>~+[[http://cacert.nhng.de/cacert-testserver/20130821/cacert1.it-sls.de.ova|Current Version of the Development and Testing Image]]+~|| = Systems - Development Image (VMWare) = === Get your local Testserver VM === 1. Download the [[http://cacert.nhng.de/cacert-testserver/20130821/cacert1.it-sls.de.ova|image]] 1. Import it into your VM player (usually you can just do a double click on the file you just downloaded) 1. If you know you will need the signer (i.e. if you want to produce certificates on the test server) you should now set up the serial connection as described [[#Configure_USB_.2F_Serial_device|below]]. 1. Start the imported VM 1. Start your web browser and navigate to [[http://cacert1/]] if you can already see the web site the VM has successfully configured itself using DHCP and you're done. Congratulations. 1. If you're still reading this then probably something went wrong in the automatic network setup, but fear not it's probably just a minor problem. Just bear with me for a second. 1. Log in to the server as "`root`" using the password "`it-sls`". {{{#!wiki caution The VM might use a different keyboard layout than your normal operating system so it's best to use the minus from the number block on your keyboard rather than the one near the letters If you haven't set up the serial connection the console will probably print annoying stuff all the time (`ttyS0: LSR safety check engaged!`). Just ignore it and keep on typing. Once you have logged in you can type "`/etc/init.d/commmodule stop`" and after that "`/etc/init.d/commmodule-signer stop`" (using the division and minus sign from the number block) and the noise will stop for now. }}} 1. Execute "{{{dpkg-reconfigure console-data}}}", choose "Select keymap from arch list" and in the following screens select the keyboard layout that comes as close to yours as possible. From now on you should be able to type as you're used to. 1. Execute "{{{ifconfig | head -n20}}}". If there are two sections called ethX (even -> cacert1, odd -> secure1) both having a line starting with {{{inet addr:}}} ('''not''' {{{inet6}}}). You need to put that ip address into your local (i.e. non-VM) `/etc/hosts` (Linux, probably MacOS too) or `C:\Windows\system32\drivers\etc\hosts` (Windows) see the [[WikiPedia:Hosts_(file)|Wikipedia entry]] for more information (mapping the hostname `cacert1` to the IP shown for the interface with the even number and `secure1` to the one with the odd number). 1. If there were no such entries in the {{{ifconfig}}} listing then the interfaces couldn't be configured using DHCP and you have to set an IP address manually: a. Start an editor to work on the file `/etc/network/interfaces` (e.g. by typing "{{{nano /etc/network/interfaces}}}") a. On the lines "{{{map foo cacert1-dhcp}}}" and "{{{map foo secure1-dhcp}}}" replace the `dhcp` with `static` a. In the sections "{{{iface cacert1-static}}}" and "{{{iface secure1-static}}}" adjust the IP adresses, netmasks and gateway according to your needs a. Save the file and exit the editor (for `nano` you can do that by hitting CTRL+X and then confirming with Y and ENTER) a. Restart the network interfaces by executing "{{{/etc/init.d/networking restart}}}" which may print some errors but that's normal for this setup, try "{{{ifconfig | head -n20}}}" to see whether it worked a. Put the mapping from the hosts (`cacert1` and `secure1`, it's important that they are mapped exactly as in the `/etc/network/interfaces`) to the configured IPs in your local (i.e. non-VM) `/etc/hosts` as mentioned above. 1. You're done. All other settings will automatically update themselves, no need to fiddle with the apache configuration and such {{{#!wiki caution Putting the entries into the `/etc/hosts` is essential if it can't be resolved automatically. You can't use the IP address directly in your browser as the server will redirect you to the host name if you don't use the right one (which is configured to be cacert1/secure1 not your IP) and if that's not present in the `/etc/hosts` your browser can't resolve that hostname and show you an error }}} === configuration virtual machine for host only / for nat === {{{ (00:45:31) dirk: auto lo eth0 eth1 (00:45:32) dirk: iface lo inet loopback (00:45:45) dirk: iface eth0 inet static (00:45:55) dirk: address 172.16.128.113 (00:46:05) dirk: netmask 255.255.255.0 (00:46:12) dirk: iface eth1 inet static (00:46:21) dirk: address 192.168.172.113 (00:46:29) dirk: netmask 255.255.255.0 (00:46:37) dirk: gateway 192.168.172.2 (00:47:02) dirk: ... wichtig ist beim letzten eintrag die .2 ... und nicht (wie man sonst vermuten wuerde) die .1 (00:47:49) dirk: ... (00:48:02) dirk: datei /etc/network/interfaces }}} === Configure USB / Serial device === ==== VirtualBox ==== 1. Open the virtual machine settings 1. Go to the "Serial Ports" section 1. Check "Enable Serial Port" and choose the "Port Mode" as "Host Pipe" 1. Check "Create Pipe" 1. Enter {{/path/to/virtual_machine/cacert1.it-sls.de/serial.pipe}} 1. Open a command line and execute {{{ cd /path/to/virtual_machine/cacert1.it-sls.de/ ln -s serial.pipe serial.pipe.lnk }}} 1. Go to the second tab of the serial port settings of !VirtualBox ("Port 2") 1. Check "Enable Serial Port" and choose the "Port Mode" as "Host Pipe" 1. Do '''NOT''' check "Create Pipe" 1. Enter {{/path/to/virtual_machine/cacert1.it-sls.de/serial.pipe.lnk}} ==== VMWare ==== . to get the signer process running and communicate with the testserver ... . at the end 2 serial connections have to be established under the VM to get the signer process and testserver to communicate to each other process thru a named pipe {{{ usb/serial configuration connecting serial device under vmware http://www.vmware.com/pdf/server_vm_manual.pdf p. 220 ff Connecting an Application on the Host to a Virtual Machine incl. Connecting Two Virtual Machines communication thru named pipe For a serial pipe on a Linux host, enter /tmp/ For a serial pipe on a Windows host, the pipe name must follow the form \\.\pipe\ }}} {{attachment:serial-ports-configuration-under-vmware.png}} . ''configure serial ports under vmware'' {{attachment:serial-port1-configuration.png}} {{attachment:serial-port2-configuration.png}} . ''serial ports configuration under vmware port 1 + port 2'' * Serial ports configuration under ESX {{{ ser port 1 use named pipe: cacert#signer near end Client far end A process Yield CPU on poll enabled ser port 2 use named pipe cacert#signer near end Server far end A process Yield CPU on poll enabled }}} === Alternate Manual Modification Options on RAW ESX VM for local use === * Below you'll find a couple of configuration options, that you need if you're trying to modify one of the older images or to reconfigure one of the preconfigured images to your needs (eg connect from a mysql management console to the server) {{{ ifconfig -> eth1 10.38.6.79 modify to your needs /etc/network/interfaces eth2 -> eth0 ? /etc/hosts replace hostnames + replace value for git repository 212.38.6.92 git-cacert.it-sls.de git-cacert (for successful git pull ,-) .....) /etc/timezone reboot /root/firewall.sh drop but don't log some undesired local traffic replace 10.38.6.0/24 -> /etc/mailname replace hostname /etc/resolv.conf replace name servers /etc/default/bootlogd (enable bootlogd) /etc/hostname modify hostname ? /home/cacert/www/includes/mysql.php modify hostnames /home/cacert/www/www/images/cacert4.png (replace ?) /home/cacert/etc/hosts (for chroot'ed environment) update servername(s) + ip's + replace value for git repository 212.38.6.92 git-cacert.it-sls.de git-cacert (for successful git pull ,-) .....) /home/cacert/etc/resolv.conf update nameservers ( /home/cacert/etc/apache/httpd.conf ) /home/cacert/etc/apache2/sites-enabled/@cacert (changed in 2011-10-26 revision) NameVirtualHost 10.38.6.74 ff. replace ??? 5. get rid of the firewall, ip4 allow, ip6 drop /root/firewall.sh iptables --flush INPUT iptables --flush FORWARD iptables --flush OUTPUT ip4tables -P INPUT ACCEPT ip4tables -P FORWARD ACCEPT ip4tables -P OUTPUT ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP 6. connect remote to mysql chown mysql:mysql /var/lib/mysql/* chown mysql:mysql /var/lib/mysql/mysql/* mysql> grant all on mysql.* to 'your-user-here'@'your-remote-machine-ip' with grant option; grant all on cacert.* to 'your-user-here'@'your-remote-machine-ip' with grant option; set password for 'your-user-here'@'your-remote-machine-ip' = password('your-password-here'); (should solve the problem to connect with a remote mysql admin or browser) your-remote-machine-ip eg your local ip 192.168.178.123, and/or default '%' /etc/mysql/my.cnf bind-address 127.0.0.1 -> machine IP (this requires modifications to mysql.php too) Alternate: bind-address 0.0.0.0 // (which is all interfaces) }}} === Additional optional modifications === {{{ apt-get lenny/main is mostly unsupported alternate: edit /etc/apt/source.list add lines: deb http://archive.debian.org/debian-archive/debian/ lenny main deb-src http://archive.debian.org/debian-archive/debian/ lenny main execute: apt-get update 1. connect a windows share -> install smbfs apt-get install smbfs echo 'smbfs' >> /etc/modules mkdir -p /mnt/ mount -t smbfs -o username= //../c$ /mnt/ on permisssion denied error 13 try mount -t cifs -o username=,password= //../c$ /mnt/ (detail instructions see http://www.debian-administration.org/articles/165) 2. install ntpd apt-get install ntp source: http://www.cyberciti.biz/faq/debian-ubuntu-linux-install-ntpd/ configure /etc/ntp.conf }}} == Developer Image in kvm/qemu == 1. Convert the ova image to a qcow2 image, a guide to do this can be found at http://blog.bodhizazen.net/linux/convert-virtualbox-vdi-to-kvm-qcow/ 1. Import the qcow image into a new virtual machine 1. Configure the virtual machine with 2 network interfaces 1. In the grub menu, change the root block device from sda1 to vda1 1. Boot the machine 1. Log in and stop the commmodule processes to remove the spam from the console (see some sections above) 1. Change the entries in /etc/fstab from sda to vda 1. Change the entries in /boot/grub/menu.lst from sda to vda (you can also try to run grub-mkdevicemap && update-grub - haven't tried that yet) 1. Remove the /etc/udev/rules.d/70-persistent-net.rules to have your network cards mapped as eth0 and eth1 1. Depending on your requirements, you can also adjust /etc/network/interfaces to assign IPs == Changes to testserver image T8 (**) == === adjust ip settings on vm === * $EDITOR /home/cacert/etc/apache2/sites-enabled/cacert * exchange ip in VirtualHost section to *:443 * add infront of first SSL vhost: NameVirtualHost *:443 * save file * chroot /home/cacert * apachectl restart (inside of chroot) === changes for git on vm to allow an automatic update push of testserver-stable branch === * $EDITOR /home/cacert/www/.git/hooks/post-update * add infront of exec: git checkout -f testserver-stable * save changes * in directory /home/cacert/www add permissions for own user: chown -R user:group . on host system add path to loacl testserver to git * git remote add localtest ssh://un@/home/cacert/www == Testserver Certs period changes == * [[http://git-cacert.it-sls.de/cgi-bin/gitweb.cgi?p=cacert-devel.git;a=blobdiff;f=CommModule/client.pl;h=002b66103eefc461d15efe62dbedaa6582d151e8;hp=8da871d5b0032bee1e3c175f2aa67e65a937eda1;hb=1873efb2b7f1eb0be809fbcd176784a1ad75a9a1;hpb=80aeb3217af38950947501429c0395b70d8e45e5|changes to apply to signer to change certs periods]] * to switch certs expire period for testing from 6 monts/1 year/2 years to 3 days/7 days/30 days and back == Logs and places within system == {{{ logs in testserver(s) /home/cacert/var/log/apache2/*.log eg error.log, access.log /home/cacert/git/cacert/CommModule/logfile* /home/signer/cacert-devel/CommModule/logfile* /var/log/mysql/mysql*.log }}} == Links == [[SystemAdministration/Systems/Development/Prepare|How to prepare an image that was just exported from ESX]] || Rev || State || VM HW level^1^ || Link || login || ||<(|2> <>T8<
>M8 ||<(|2> 2013-08-22 ||<(|2> 4 || [[http://cacert.nhng.de/cacert-testserver/20130821/cacert1.it-sls.de.ova]]<
>[[http://cacert.nhng.de/cacert-testserver/20130821/cacert1-mgr.ova]] || Modified image, root password: it-sls (**)|| || --([[http://www.avintec.com/it-sls/20130821/cacert1.it-sls.de/]]<
>[[http://www.avintec.com/it-sls/20130821/cacert1-mgr/]])-- || Original image, password unknown, boot with a live CD and chroot virtual hard disk to change root password || ||<(|2> T7<
>M7<
>G7 ||<(|2> 2012-04-04<
>(removed stamp service) ||<(|2> 4 || [[http://cacert.nhng.de/cacert-testserver/20120404/cacert1.it-sls.de.ova]] || Modified image, root password: it-sls || || --([[http://www.avintec.com/it-sls/20120404/cacert1.it-sls.de/]]<
>[[http://www.avintec.com/it-sls/20120404/cacert1-mgr/]]<
>[[http://www.avintec.com/it-sls/20120404/git-cacert/]])-- || Original image, password unknown || ||<(|3> T6 ||<(|3> 2011-10-26 ||<(|3> 4 || [[http://cacert.nhng.de/cacert-testserver/20111026/cacert1.it-sls.de/]] || Modified image, root password: it-sls || || --([[http://www.avintec.com/it-sls/CAcert-T6/]])-- || Modified image, root password: CA-Test || || --([[http://www.avintec.com/it-sls/20111026/]] || Original image, password unknown || || T5 || 2011-09-07 || 4 || [[http://cacert.nhng.de/cacert-testserver/20110907/cacert1.it-sls.de/]]<
>[[http://www.avintec.com/it-sls/20110907/cacert1.it-sls.de/]])-- || Original image, password unknown || || M1 || 2011-09-07 || 4 || [[http://cacert.nhng.de/cacert-testserver/20110907/ca-mgr1.it-sls.de/]]<
>[[http://www.avintec.com/it-sls/20110907/ca-mgr1.it-sls.de/]] || Original image, password unknown || || T4 || 2011-04-21 || 4 || [[http://cacert.nhng.de/cacert-testserver/20110421/]]<
>--([[http://www.avintec.com/it-sls/20110421/cacert1.it-sls.de/]])-- || Original image, password unknown || || T3 || 2010-04-07 || 7 || [[ftp://newsys.gun.de/VMWare-Images/CAcert-Developer/]] || root/CA-Test || || T2 || 2009-08-24 || 4 || [[http://cacert.quarkus.de/]] || root/lale.. || || T1 || 2009-06-28 || emu || test1.cacert.at || unknown || remark WIN7 vmplayer 3.1 must run in WindowsXP mode see [[http://www.infernodevelopment.com/forum/Thread-VMWare-Player-Windows-7-Internet-Not-Working|http://www.infernodevelopment.com/forum/Thread-VMWare-Player-Windows-7-Internet-Not-Working]] ^1^ vmware-host is running on a VMware ESX Server 3i 3.5.0 build-207095 revision. [[http://www.techhead.co.uk/vmware-esx-how-to-downgrade-a-vms-vm-versionhw-level-from-7-4-0-to-4-3-x|vm-versionhw-levels]] defines 3i 3.5.0 as HW level 4. ---- . CategorySystems . CategorySoftwareAssessment