Showing posts with label sudo. Show all posts
Showing posts with label sudo. Show all posts

Apr 2, 2016

Add Let's Encrypt free SSL certificates to WSO2 API Cloud

Let's encrypt is a free and open certificate authority runs for the public benefit. This service is provided by the Internet Security Research Group and there are lots of companies working with them to make the Internet secure. People who have a domain name can get free SSL certificate for their websites using this service for three months. I they need to use for more than that three months we need to renew the certificate and its also for free. But the best thing is that this certificate is accepted by most of the new web browsers and systems by default. So you don't need to add CA certs to you browsers any more.

In this article I will explain how we can use that service to get a free SSL certificate and add that to WSO2 API Cloud. So that you can have your own API store like;

https://store.thilina.piyasundara.org

In order to do that you need to have following things in hand.
  • Domain name.
  • Rights to add/delete/modify DNS A records and CNAMEs.
  • Publicly accessible webserver with root access or a home router with port forwarding capabilities. 

Step 1

If you have a publicly accessible webserver you can skip this step.If you don't have a publicly accessible webserver you can make your home PC/Laptop a temporary webserver if you can do port forwarding/NATing in you home router. I will show how I did that with my ADSL router. You can get help on port forwarding information by referring to this website http://portforward.com.

a. Add a port forwarding rule in your home router.

Get your local (laptop) IP (by running ifconfig/ip addr) and put that as the backend server in your router for. Set the WAN port as 80 and LAN port as 80.


After adding the rule it will be like this.

b. Start a webserver in your laptop. We can use the simple Python server for this. Make sure to check the IPTable rules/Firewall rules.

mkdir /tmp/www
cd /tmp/www/
echo 'This is my home PC :)' > index.html
sudo python3 -m http.server 80

c. Get the public IP of your router. Go to this link : http://checkip.dyndns.org it will give the public IP address. This IP is changing time-to-time so no worries.


d. Try to access that IP from a browser.
If it is giving the expected output you have a publicly accessible webserver.


Step 2

Now we need to update a DNS entry. My expectation is to have a single SSL certificate for both domains 'store.thilina.piyasundara.org' and 'api.thilina.piyasundara.org'.

a. Go to your DNS provides console and add an A record for both domain names to point to the public IP of your webserver (or the IP that we got from the previous step).


b. Try to access both via a browser and if its giving the expected out put you can proceed to the next step.


Step 3

I'm follow the instruction in the 'let's encrypt' guide. As I'm using the python server I need to use the 'certonly' option when running the command to generate the certs.

a. Get the git clone of the letsencrypt project.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

b. Run cert generation command. (this requires root/sudo access)

./letsencrypt-auto certonly --webroot -w /tmp/www/ -d store.thilina.piyasundara.org -d api.thilina.piyasundara.org

If this succeed you can find the SSL keys and certs in '/etc/letsencrypt/live/store.thilina.piyasundara.org' location.

Step 4

Check the content of the certs. (Be root before you try to 'ls' that directory)

openssl x509 -in cert.pem -text -noout

Step 5

Create an API in WSO2 API Cloud if you don't have one. Else start on adding a custom domain to your tenant.

a. Remove both A records and add CNAME records to those two domains. Both should point to the domain 'customdns.api.cloud.wso2.com'.


b. Now click on the 'Configure' option in the top options bar and select the 'Custom URL' option.


c. Make ready you SSL certs. Copy 'cert.pem', 'chain.pem' and 'privkey.pem' to you home directory.

d. Modify API store domain. Click on the modify button, add the domain name click on verify. It will take few seconds. If that succeed you have correctly configured the CNAME to point to WSO2 cloud.

e. Add cert files to the API Cloud. The order should be the certificate (cert.pem), private key (privatekey.pem) and the CAs chain file (chain.pem). Again it will take sometime to verify uploaded details.


f. Update the gateway domain same as the previous.

Now if you go the API Store it will show something like this.



g. Same way you can use the gateway domain when you need to invoke APIs.

curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer ' 'https://gateway.api.cloud.wso2.com:8243/t/thilina/gituser/1.0.0/thilinapiy'

Now you don't need '-k' option. If not make sure you operating system (CA list) is up to date.

Step 6

Make sure to remove port forwarding in you home router if you use that and any changes that you make while obtaining the SSL certificates.

Feb 4, 2014

KVM with Virt-Manager as a virtualization tool for Linux

I have use several operating system (OS) level virtualization tools like VMware Workstation, VMware Player, Oracle VirtualBox, Microsoft VirtualPC and KVM for many years.

Overall VMware Workstation is the best tool for me. But to use that we need to purchase a license.  As an alternative to VMware Workstation we can use VMware player (a stripdown version of WMware Workstation) for free but only for non-commercial use. Also you can't run multiple guest operating systems concurrently using that.

As an alternative to VMware products most of linux people use Oracle VirtualBox. I had some issues when I try to NAT a virtual instance (guest OS) on Ubuntu 12.10 (host OS) machine. As a solution for this most blogs forums suggest to change the virtual network option into Bridge. But most networks (including my home wifi network) doesn't allow this option because we do MAC address filtering.

Obviously you can not install Microsoft VirtualPC on a Linux host (even with vine). Truly I haven't use Xen, so I can't give any opinions on that.

kernel-based virtual machine (KVM) is another tool that we can use to do OS level virtualization. I will explain how to install KVM and Virt-Manager the graphical user interface which can use to interact with KVM on Ubuntu (Check this to install KVM on CentOS).

Installing KVM and Virt-manager on Ubuntu


Update your repository list
sudo apt-get update
Install packages and dependencies
sudo apt-get install kvm virt-manager
After completing the installation you can search for "Virtual machine Manager" on the search of Ubuntu Unity. Give the sudo password in the popup window.

Or else you can use the following command to start the virt-manager GUI from the terminal.
sudo virt-manager
In the first attempt it will prompt the following user interface. Use the default settings and click on "connect".

KVM Virt-Manager add connection

Installing guest operating system in KVM


Open virt-manager by clicking on the icon from unity search or using command. Then click on the left most icon of the GUI as follows. It will open a wizard to create a new virtual machine.

Create new virtual machine


Give a proper name, that name will appear on the virt-manager virtual machine list.

There are several ways to install an operating system and this tool also support few of them too. Usually we use a boot-able CD/DVD to install an operating system to a new machine/laptop. Also we can directly give the ISO image of an operating system.  Therefore, I will go ahead with the "Local installation media" option and click on "Forward"


In this I'm going to give an Ubuntu 12.04 desktop ISO image. Select the "Use ISO image" option and click on "Browse".


It will open another window which will list down all the image files of your virtual machines. Click on the bottom "Browse Local" button and browse to the ISO image that you need to install. Give the OS type and version in relevant fields. Then continue the wizard.


You can download those ISO images from relevant websites other than Windows.

In this step you need to set the guest machines memory and CPU. As I'm going to install a Ubuntu Desktop with the user interface (UI), I'm going to give 1024 MB of RAM and a single CPU will work for this.


Now we need to set the disk space. It is enough to give 8-10GB of disk space for a virtual (guest) machine.

Specially, remove the default check on the "Allocate entire disk now" option. If you do so, KVM will not allocate full 10GB (or what you set) from your host machines hard disk. It will only use the real data capacity used in the installation and only when you add data to the guest system it will grow. So this save lot of disk space.


In the last step you will get a confirmation page.

Few best practices when using KVM

  • To run virtual machine manager you need sudo permission. So you can create an alias for this.
alias virt-manager='sudo virt-manager'
sudo visudo
  • Add the line with your username
username ALL= NOPASSWD: ALL
  • Try to use text only installations of operating systems. It will reduce resources (RAM/disk space) usage. Most server edition operating systems by default install the text only (run level 3) environment.
  • Use base images
Create some base operating system installations in the system. If you need a virtual machine you can get a clone of the base installation and use. In this figure I have create three base images (virtual machines)
a CentOS, RHEL and a Ubuntu.

Other three machines are clones of a Ubuntu base machine which I used to simulate a Ubuntu base network. After the simulation I can delete those virtual machines with used virtual hard disk (.img file).


Install your favorite commonly used tools like vim/emacs, tree, htop, telnet, git, subversion, oracle JDK, links, debug tools and custom scripts.

Install additional repositories like EPEL, RPMForge,  repos on RedHat base distributions. Puppet repositories on all distributions.

So how to clone a virtual machine? Right click on the virtual machine (should be on power off state) and select "Clone" option. It will give the following window. Give a proper name for that and continue it. It will take few minutes to copy and the time will depend on your base image size.


When you need delete a virtual machine, select and right click on that and select "Delete" option. It will prompt another window as follows. Select the "Delete associated storage files" option and it will enable the list of storages which you need to delete in order to save your disk space. Keep in mind not to delete any iso images if those appear on this list.


Jan 14, 2013

Run a specific command as root without root password

In most Linux/Unix systems users need special privileges to run some command. Specially to stop a service, mount a device likewise. In these scenarios most old Linux/Unix systems used the command 'su -'. But this command requires the root users password. Sharing a root password with other users is not a good practice. Therefore, we need to use some other way to do this task.

'Sudo' command allows non-privileged users to run various commands as a root user without the root password. Root user can specify which user or the user group can run command(s) as root or any other user. Those information will be saved in a configurations file in '/etc/sudoers'. But I strongly advice you not to edit that file directly. Because if there is an error, that will cause a system malfunctioning. The best way to do these changes is to use the 'visudo' command. Though you edit the same file via this command, it will check the syntax before it save those changes to the configurations file permanently.

For an example, think that there is a Linux based proxy server running on your office environment. Normally you do lots of changes upon requests. (It's not a very good practice.) So you want to get the help of a new trainee person to handle the proxy server. But there are few problems. One is you need to restart the proxy service to activate a configuration change. And also you may have some other services running on the same host server. So the server is critical but you need to provide some high level privileges to a non-experienced user.

Now you need to provide some high privileges to the user but only to run some identified commands. According to the example you need to provide privileges to edit the "squid.conf" file, restart the squid service. So you can do this things in many different ways on the "sudoes" file.

Run 'visudo' and go to the line "root  ALL=(ALL) ALL". Add those commands on the next line.

bob squidhost= NOPASSWD: /usr/bin/vim /etc/squid/squid.conf, /sbin/service squid

In the first part you need to set the user name. In this case it's Bob. If you want to set a group you need to add a "%" sign in front of the group name.

Oh the second part you need to specify the hostname.

Then you can add " NOPASSWD: " in between the equal (=) sign and the command to not to ask the password when the user run that command. If you remove that, system will ask user to give the his/her password each time he/she runs a command out of these.

Then you can specify commands that you need to provide to the user. Absolute path is required when specifying commands and configuration files.