Sunday, May 31, 2015

Configuring a Vyatta Firewall in IBM SoftLayer

Summary

This  blog posts covers the steps to allow access to a Web or Application server that is being protected by a Vyatta gateway in IBM SoftLayer. Vyatta can be used as a firewall as well as a network gateway. Vyatta is a low cost firewall option but the learning curve to using it is steeper than the FortiGate firewall options available on SoftLayer.

This post will cover some steps to protect a Web server or application server in SoftLayer. 

Process

Order a Gateway appliance in the data center where you have your application servers.
Associate the VLANs with the Gateway as shown below in the picture. The application server is configured to sit on the public VLAN and the private VLAN. The database tier will sit only on a private VLAN.

SoftLayer Gateway Page


In the picture above, there are two associated VLANs. The VLANs can bypass Vyatta or be associated with the Vyatta gateway. Once the VLAN is associated with the Vyatta gateway, Vyatta firewall rules must be applied to access the applications running on that VLAN.

To configure Vyatta you need the gateway address and the subnet address of the associated VLAN.
Determine the subnet and gateway address for the VLAN.
  • From the gateway page, click on the link to the VLAN page.
  • From the VLAN page, click on the Subnet page as shown below. 

SoftLayer VLAN subnet page


Login to the Vyatta system.
Enter configure to change settings.
-- Associate the gateway with an adapter. eth0 is the private network. eth1 is the public network

set interfaces ethernet eth1 vif <public vlan number> address <gateway address>
set interfaces ethernet eth0 vif <private vlan number> address <other gateway address>


--example

set interfaces ethernet eth0 vif 1607 address 10.77.153.65/26
set interfaces ethernet eth1 vif 1253 address 184.173.49.1/2
7

You may also see a bonded adapter configuration when invoking show interfaces before entering configuration mode. If so you the following commands instead.

set interfaces bonding bond1 vif 1253 address 184.173.49.1/27
set firewall name home_in rule 10 action accept
set firewall name home_in rule 10 description "allow access to web or application server port"


-- The 184.173.49.0/27 is the subnet address

set firewall name home_in rule 10 destination address 184.173.49.0/27
set firewall name home_in rule 10 destination port 80,8080

set firewall name home_in rule 10 protocol tcp
set interfaces ethernet eth1 firewall in name home_in


set firewall name home_out rule 10 action accept
set firewall name home_out rule 10 description "allow traffic from Web subnet back out"
set firewall name home_out rule 10 source address 184.173.49.0/27
set firewall name home_out rule 10 protocol tcp
set interfaces ethernet eth1 firewall out name home_out
 

 -- in my case my database is somewhere else so allow the database server address to connect back to the web subnet

set firewall name home_in rule 11 action accept
set firewall name home_in rule 11 description "database back to web"
set firewall name home_in rule 11 source address 52.22.138.15
set firewall name home_in rule 11 destination address 184.173.49.0/27
set firewall name home_in rule 11 protocol tcp

commit
The Web or application server should now be available. 

After entering all these rules enter commit to put them into effect but do not save the configuration until you are satisfied that it is working
If you do not save your changes, it is easy to reboot and try again.

To view the new routes, exit from configuration mode and enter show ip route.

$ show ip route
S    *> 0.0.0.0/0 [1/0] via 173.193.94.249, eth1
S    *> 10.0.0.0/8 [1/0] via 10.77.153.1, eth0
C    *  10.77.153.0/26 is directly connected, eth0v1
C    *> 10.77.153.0/26 is directly connected, eth0
C    *> 10.77.153.64/26 is directly connected, eth0.1607
C    *> 127.0.0.0/8 is directly connected, lo
C    *  173.193.94.248/29 is directly connected, eth1v1
C    *> 173.193.94.248/29 is directly connected, eth1
C    *> 184.173.49.0/27 is directly connected, eth1.1253

There are two new routes to the associated VLANs. 






Monday, May 18, 2015

Using a Load Balancer for an Apache Tomcat Application

Summary

When load balancing an application, you have to handle the session data that is maintained for each user. One way to handle session data is to use what is called a sticky session. For a sticky session, the load balancer always routes you back to the box that you initially connected to. The screen shot below from a SoftLayer local load balancer shows the sticky session option as w/ Inserted Cookie. This is easier to implement but does not allow for failover when the system that you are connected to fails. Another option is to write session data out to a database that is accessible by all the application servers.

This tutorial will step you through the process of configuring Apache Tomcat to use a Redis database to maintain session data.

SoftLayer Load Balancer options

 

 

 

 

 

 

 

 

 

 

 

Install Java

  • cd /tmp
  • wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u45-b14/jdk-8u45-linux-x64.tar.gz"
  • cd /opt
  • tar -xf /tmp/jdk-8u45-linux-x64.tar.gz
  • echo "export JAVA_HOME=\"/opt/jdk1.8.0_45\"" >> ~/.bashrc

Install Apache Tomcat

  • cd /tmp
  • wget http://apache.claz.org/tomcat/tomcat-7/v7.0.62/bin/apache-tomcat-7.0.62.zip
  • cd /opt
  • unzip /tmp/apache-tomcat-7.0.62.zip
  • echo "export CATALINA_HOME=\"/opt/apache-tomcat-7.0.62\"" >> ~/.bashrc
  • chmod -R 755 /opt/apache-tomcat-7.0.62/bin/*.sh

Install JULI log4j jar

  • cd /opt/apache-tomcat-7.0.62/lib
  • wget http://apache.claz.org/tomcat/tomcat-7/v7.0.62/bin/extras/tomcat-juli.jar

Install Gradle

Gradle is needed to build Redis Tomcat session manager
  • cd /tmp
  • wget https://services.gradle.org/distributions/gradle-2.4-bin.zip
  • cd /opt
  • unzip /tmp/gradle-2.4-bin.zip
  • Add /opt/gradle-2.4 to your PATH.
    •  export PATH=/opt/gradle-2.4/bin:$PATH

Install Redis Tomcat session manager

  • cd /tmp
  • yum -y install git
  • git clone https://github.com/jcoleman/tomcat-redis-session-manager.git
  • cd tomcat-redis-session-manager
  • gradle tasks
    Note:if you get an error on line 57 of build.gradle, remove the uploadArchives section and everything after it.
  • gradle jar
  • Copy jar output to Apache Tomcat
    example: cp ./build/libs/tomcat-redis-session-manager-2.0.0.jar   /opt/apache-tomcat-7.0.62/lib/

Install Redis Java client

The Redis Java client will be downloaded to build Redis Tomcat session manager
  • find / -name "jedis*.jar"
  • Copy the jar found to Apache Tomcat lib directory
    example:
    •  cp /root/.gradle/caches/modules-2/files-2.1/redis.clients/jedis/2.5.2/83d/jedis-2.5.2.jar /opt/apache-tomcat-7.0.62/lib/

Install Apache Commons Pool

There are some dependency Jars needed so grap the source and build with Maven
  • cd /tmp
  • wget http://mirror.tcpdiag.net/apache//commons/pool/source/commons-pool2-2.3-src.zip
  • cd /tmp/commons-pool2-2.3-src
  • yum -y install maven
  • source ~/.bashrc
  • mvn deploy
  • cp /tmp/commons-pool2-2.3-src/target/commons-pool2-2.3.jar /opt/apache-tomcat-7.0.62/lib/
Find the dependency Jars and copy them into the Tomcat directory also
  • find ~/.m2 -name cglib*.jar
  • use the outputed path to copy cglib to Tomcat
    e.g. cp /root/.m2/repository/cglib/cglib/3.1/cglib-3.1.jar /opt/apache-tomcat-7.0.62/lib/
  • find ~/.m2 -name asm*.jar
  • use the outputed path to copy asm to Tomcat
    e.g. cp /root/.m2/repository/org/ow2/asm/asm/4.2/asm-4.2.jar /opt/apache-tomcat-7.0.62/lib/
  • find ~/.m2 -name asm-util*.jar
  • use the outputed path to copy asm-utils to Tomcat
    e.g. cp /root/.m2/repository/org/ow2/asm/asm-util/5.0.3/asm-util-5.0.3.jar /opt/apache-tomcat-7.0.62/lib/

Install Redis

This would normally be installed on a separate server but for this tutorial it can be placed on the same server.
See this page to Install Redis

Update Tomcat

Add the following to Tomcat context.xml:
<Valve className="com.orangefunction.tomcat.redissessions.RedisSessionHandlerValve" />
<Manager className="com.orangefunction.tomcat.redissessions.RedisSessionManager"
host="localhost"
port="6379"
database="0"
maxInactiveInterval="60"/>

Restart Tomcat
  • $CATALINA_HOME/bin/catalina.sh stop
  • $CATALINA_HOME/bin/catalina.sh start
Check the logs to make sure it is working.

Install Java

  • cd /tmp
  • wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u45-b14/jdk-8u45-linux-x64.tar.gz"
  • cd /opt
  • tar -xf /tmp/jdk-8u45-linux-x64.tar.gz
  • echo "export JAVA_HOME=\"/opt/jdk1.8.0_45\"" >> ~/.bashrc

Install Apache Tomcat

  • cd /tmp
  • wget http://apache.claz.org/tomcat/tomcat-7/v7.0.62/bin/apache-tomcat-7.0.62.zip
  • cd /opt
  • unzip /tmp/apache-tomcat-7.0.62.zip
  • echo "export CATALINA_HOME=\"/opt/apache-tomcat-7.0.62\"" >> ~/.bashrc
  • chmod -R 755 /opt/apache-tomcat-7.0.62/bin/*.sh

Install JULI log4j jar

  • cd /opt/apache-tomcat-7.0.62/lib
  • wget http://apache.claz.org/tomcat/tomcat-7/v7.0.62/bin/extras/tomcat-juli.jar

Install Gradle

Gradle is needed to build Redis Tomcat session manager
  • cd /tmp
  • wget https://services.gradle.org/distributions/gradle-2.4-bin.zip
  • cd /opt
  • unzip /tmp/gradle-2.4-bin.zip
  • Add /opt/gradle-2.4 to your Path
    export PATH=/opt/gradle-2.4/bin:$PATH

Install Redis Tomcat session manager

  • cd /tmp
  • yum -y install git
  • git clone https://github.com/jcoleman/tomcat-redis-session-manager.git
  • cd /opt/apache-tomcat-7.0.62/lib
  • cd tomcat-redis-session-manager
  • gradle tasks
    Note:if you get an error on line 57 of build.gradle, remove the uploadArchives section and everything after it.
  • gradle jar
  • Copy jar output to Apache Tomcat
    example: cp ./build/libs/tomcat-redis-session-manager-2.0.0.jar /opt/apache-tomcat-7.0.62/lib/

Install Redis Java client

The Redis Java client will be downloaded to build Redis Tomcat session manager
  • find / -name "jedis*.jar"
  • Copy the jar found to Apache Tomcat lib directory
    e.g. cp /root/.gradle/caches/modules-2/files-2.1/redis.clients/jedis/2.5.2/83d/jedis-2.5.2.jar /opt/apache-tomcat-7.0.62/lib/

Install Apache Commons Pool

There are some dependency Jars needed so grap the source and build with Maven
  • cd /tmp
  • wget http://mirror.tcpdiag.net/apache//commons/pool/source/commons-pool2-2.3-src.zip
  • cd /tmp/commons-pool2-2.3-src
  • yum -y install maven
  • source ~/.bashrc
  • mvn deploy
  • cp /tmp/commons-pool2-2.3-src/target/commons-pool2-2.3.jar /opt/apache-tomcat-7.0.62/lib/
Find the depency Jars and copy them into the Tomcat directory also
  • find ~/.m2 -name cglib*.jar
  • use the outputed path to copy cglib to Tomcat
    e.g cp /root/.m2/repository/cglib/cglib/3.1/cglib-3.1.jar /opt/apache-tomcat-7.0.62/lib/
  • find ~/.m2 -name asm*.jar
  • use the outputed path to copy cglib to Tomcat
    e.g cp /root/.m2/repository/org/ow2/asm/asm/4.2/asm-4.2.jar /opt/apache-tomcat-7.0.62/lib/
  • find ~/.m2 -name asm-util*.jar
  • use the outputed path to copy cglib to Tomcat
    e.g cp /root/.m2/repository/org/ow2/asm/asm-util/5.0.3/asm-util-5.0.3.jar /opt/apache-tomcat-7.0.62/lib/

Install Redis

This would normally be installed on a seprate server but for this tutorial it can be placed on the same server.
See this page to Install Redis

Update Tomcat

Add the following to Tomcat context.xml:
<Valve className="com.orangefunction.tomcat.redissessions.RedisSessionHandlerValve" />
<Manager className="com.orangefunction.tomcat.redissessions.RedisSessionManager"
host="localhost"
port="6379"
database="0"
maxInactiveInterval="60"/>

Restart Tomcat
  • $CATALINA_HOME/bin/catalina.sh stop
  • $CATALINA_HOME/bin/catalina.sh start
Check the logs to make sure it is working.

Saturday, May 16, 2015

Building your own Cloud Foundry Instance

After following this step by step tutorial you will be able to run your own instance of Cloud Foundry on Amazon. These steps will help you avoid some time consuming pitfalls. 

 Summary

Cloud Foundry is the premier platform as a service (PaaS). After using Cloud Foundry as a developer via IBM Bluemix and following some interesting tutorials on auto scaling, I wanted to try installing an instance of Cloud Foundry myself. Pivotal makes it pretty simple to do with these instructions Deploying Cloud Foundry but the information is on several pages and I made a few mistakes along the way and it took several hours. This tutorial is intended to be a step by step cookbook to deploy a Cloud Foundry App on your own to Cloud Foundry instance running on Amazon AWS.

Note:
If you have to start over remove ~/.bosh_config. I don't think it gets updated. I was wondering my my setup was not working and it turned out this file was pointing to a system that no longer exists.

 Create an AWS instance

This instance will be used to install the tools and code needed to create the Cloud Foundry instance. It will also contain the Cloud Foundry CLI tool, cf.
  • From Amazon EC2 Management, choose a Ubuntu Server.  
  • Select at least a medium server.
  • By default, Amazon EC2 instances will not have enough space on the main file system so be sure to configure all instance details rather than just clicking Launch.
  • Continue to Storage.
  • Add 15 GiB of storage to the first device.

Install Bosh Lite 

  • Login to Amazon EC2 virtual server. 

    Switch to root. 
    • sudo su -
  • Install these need prerequisites and then bosh_cli:

    •  apt-get update
    • apt-get install -y build-essential ruby ruby-dev libxml2-dev libsqlite3-dev libxslt1-dev libpq-dev libmysqlclient-dev  
    • gem install bosh_cli. 
      • Note: You experience an error during document creation phase. Don't worry about that. 
    • apt-get -y install git
    • mkdir ~/workspace
    • cd ~/workspace
    • git clone https://github.com/cloudfoundry/bosh-lite

Create an AWS security group

  • Create an AWS security group called for example: CF_SecurityGroup in the default VPC.
  • Add the following ports as inbound ports:  4443, 22, 80, 25555, 443 as shown in the picture below. Ch

 Install Vagrant  

Use Vagrant 1.6.3 (the "Known working version"). I thought this was a testing statement but it seems like 1.6.4 currently causes issues.
  • cd /tmp
  • wget https://dl.bintray.com/mitchellh/vagrant/vagrant_1.6.3_x86_64.deb
  • dpkg -i ./vagrant_1.6.3_x86_64.deb
  • Install Vagrant AWS provider
    • vagrant  plugin install vagrant-aws  --plugin-version 0.4.1

    Set the following variables into the environment:

    export BOSH_AWS_ACCESS_KEY_ID=<AWS access key id>
    export BOSH_AWS_SECRET_ACCESS_KEY=<AWS secret access key>
    export BOSH_LITE_KEYPAIR=<your AWS key name>
    export BOSH_LITE_NAME=Vagrant
    export BOSH_LITE_SECURITY_GROUP=CF_SecurityGroup
    export BOSH_LITE_PRIVATE_KEY=<path to AWS private key>

    For Example:
    export BOSH_AWS_ACCESS_KEY_ID=AKIAI5SJGW...
    export BOSH_AWS_SECRET_ACCESS_KEY=5dgGCXU/Q2C...
    export BOSH_LITE_KEYPAIR=MyAmazonKeyPair
    export BOSH_LITE_NAME=Vagrant
    export BOSH_LITE_SECURITY_GROUP=CF_SecurityGroup
    export BOSH_LITE_PRIVATE_KEY=~/myEC2Key.pem


    • Copy your Amazon private key to this Ubuntu system.
    • Key must be owned by user running Vagrant so make sure it is owned by root.
    • chown root <path to AWS private key>
    • chgrp root <path to AWS private key>
       

    Run Vagrant

    • cd ~/workspace/bosh-lite
    • vagrant up --provider=aws
      Note: If vagrant hangs at Waiting for SSH to become available... retry vagrant up with the --debug option.

    Login to Bosh Director Lite 

    When Vagrant finishes, you will see output like this:

    ==> default: The public IP for this instance is 52.7.237.251
    ==> default: You can 'bosh target 52.7.237.251', or run 'vagrant ssh' and then 'bosh target 127.0.0.1'
    ==> default: Running provisioner: shell...
        default: Running: inline script
    ==> default: Setting up port forwarding for the CF Cloud Controller...


    • bosh target <IP address of newly created EC2 instance, 52.7.237.251 in example above>
    • You will be prompted for a username and password
      • bosh user: admin 
      • bosh password:  admin

    Deploy Cloud Foundry

    •  cd ~/workspace
    • Edit bosh-lite/manifests/cf-stub-spiff.yml to add a domain attribute.
      •  vi bosh-lite/manifests/cf-stub-spiff.yml
      • add domain:  <IP address of newly created EC2 instance, 52.7.237.251 in example above>.xip.io under properties section.
    e.g.
    name: cf-warden
    director_uuid: PLACEHOLDER-DIRECTOR-UUID
    releases:
      - name: cf
        version: latest
    properties:
      loggregator_endpoint:
        shared_secret: PLACEHOLDER-LOGGREGATOR-SECRET
        domain: 52.7.237.251.xip.io




    • Download Spiff from https://github.com/cloudfoundry-incubator/spiff/releases
    • Install the latest binary spiff_linux_amd64.zip version.
    • Add spiff in your PATH by com
    • cd ~/workspace
    • git clone https://github.com/cloudfoundry/cf-release 
    • cd bosh-lite
    • bin/provision_cf

    Setup Deployment 

    • Download Cloud Foundry CLI from https://github.com/cloudfoundry/cli/releases. Choose the Debian 64-bit version.
    • cf api --skip-ssl-validation https://api.<new ip address>.xip.io
      • eg. cf api --skip-ssl-validation https://api.52.7.237.257.xip.io
    • cf login
      • Email: admin password: admin
    • cf create-org MyOrg
    • cf target -o MyOrg
    • cf create-space development
    • cf target -s development 

    Deploy Cloud Foundry

    • cd ~/workspace
    • git clone https://github.com/jbd214/cloudFoundryPythonApp.git
    • cd cloudFoundryPythonApp
    • cf push
    The output of the cf push should look like this: 
    Results of cf push
    Copy the URL and paste it into your browser.You should see this:
    Python Cloud Foundry App running in browser