Servers

Recompile x86_64 kernel for CentOS 6.4

Posted on by Andy

Hi, due to some changes in the official CentOS 6 kernel like the integration of IPMI into the kernel (boot hanging bug) and the preemptive scheduling to "desktop" instead of "server" (which resulted in poorer performance) i decided to recompile the kernel.

Here is a small howto if you want to recompile your centos stock kernel with other options:

  1. create building tree as non-root user
    # su <user>
    # mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
    # echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
    # exit
  2. install needed packages:
    # yum groupinstall "Development Tools"
    # yum install hmaccalc zlib-devel binutils-devel elfutils-libelf-devel
    # yum install rpm-build redhat-rpm-config asciidoc hmaccalc
    # yum install binutils-devel elfutils-libelf-devel newt-devel zlib-devel ncurses-devel
    # yum install xmlto python-devel
  3. change user (NEVER RECOMPILE AS ROOT):
    # su <user>
  4. install source rpm:
    # rpm -ivh http://vault.centos.org/6.4/updates/Source/SPackages/kernel-2.6.32-358.2.1.el6.src.rpm
    (6.4 -> centos version, kernel-2.6.32-358.2.1.el6.src.rpm -> kernel version)
  5. prepare source build tree
    # cd ~/rpmbuild/SPECS
    # rpmbuild -bp –target="x86_64" kernel.spec
  6. edit rpmbuild/SPECS/kernel.spec and replace line 18 with your custom build id:
    # %define buildid .custom.NOIPMI.SERVER
    (-> kernel-2.6.32.358.2.1.custom.NOIPMI.SERVER.x86_64.rpm)
  7. copy over old kernel config:
    # cd ~/rpmbuild/BUILD/kernel-2.6.32-358.2.1.el6/linux-2.6.32-358.2.1.el6.x86_64
    # cp /boot/config-2.6.32-358.2.1.el6.x86_64 .config
  8. now chane the kernel config to your desires:
    # make clean
    # make menuconfig
  9. then copy the config file to your SOURCE directory:
    # cp .config configs/kernel-2.6.32-x86_64.config
    # cp configs/* ~/rpmbuild/SOURCES
  10. launch the compile process:
    # cd ~/rpmbuild/SPECS
    # rpmbuild -bb –with baseonly –without debug –without debuginfo –target="x86_64" kernel.specs

​Now there should be some cryptic output to the screen. Lean back and have a coffee, the compilation process can take some time. Depending on your hardware this can take between 30 min and 3 hours (apparemtly up to 9 hours on a PentiumIII).

The compiled kernel can be found in the RPMS folder.

Ensim Quota Fixer

Posted on by Andy

Hello world,

We recently had some quota problems on one of our server with Ensim Control Panel. The control panel and command line quota tool reported other data than the users really used. Although the user had no files on the disk which were owned by him the quota reported a few megabytes used. I checked a few forums an read a few articles and wrote a bash script which fixes the quota problem.

Here what it does:

  • it turns off quota
  • does a backup of your old quota files (aquota.user and aquota.group)
  • scans new quota data
  • re-enables quota
  • and resets ensim users and admin quotas

Download the file, unzip it and run the script. Hope this helps someone as I struggled with this "bug" for some time.

Ensim Quota Fixer (1748 downloads )

Create self-signed certificates with OpenSSL

Posted on by Andy

Hey, here are a few steps to create your own self-signed certificates with your own CA:

  1. Generate your 4096 bit CA key (no password):
    # openssl genrsa -out CA.key 4096
    or generate one with a password:
    # openssl genrsa -out CA.key 4096 -des3

​Please note that if someone gets this key and it’s not password protected he can generate valid certificates in your name, which is really really bad, so keep it secret!

  1. Generate your CA certificate:
    # openssl req -new -x509 -extensions v3_ca -key CA.key -days 10000 -out CA.crt

​This creates a valid CA certificate wich is valid for 10000 days. Why so long? Because when this CA expires you have to revoke and regenerate all the certificates based on this one which could be timeconsuming, but feel free to set a lower number. In order to recognize your self-signed certificates this CA must be installed on your computer which calls the website or alike. which varies between operating systems and programs.

  1. Generate a key for the server (again with or without password, simply add -des3 if you want password protection):
    # openssl genrsa -out server.key 4096
  2. Create A CSR (certificat signing request):
    # openssl req -new -key server.key -out server.csr

​Now before creating a CRT file: if you need multiple domains you can specifiy them in a separate file. In my example i named it multidomains.cnf and added the following line:

subjectAltName=DNS:www.domain.com,DNS:mail.domain.com,DNS:domain.com,DNS:mysql.domain.com

Please note that you need to specify the normal domain too (domain.com) in this file and as CommonName when generating the CSR.

  1. Generate the server certificate:
    # openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -days 365
    generate with multidomains:
    # openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -extfile multidomains.cnf -out server.crt -days 365

In case you want the to do quickly a certificate, you can do it also in one line:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

​All you have to do now is copy the server.key and server.crt onto your machine and configure your application to use this certificates.

Here are some useful sites if found about SSL:
http://www.chainsawonatireswing.com
http://phaseshiftllc.com
http://blog.didierstevens.com
http://shib.kuleuven.be