A Million Monkeys

For debian/ubuntu users who want to use MySQL 5.1, there aren’t really many options available apart from compiling from source.

Whilst this is probably the best solution, a far simpler and easier (no need to worry about things like the client) method is using the repositories from dotdeb.org. Although these are made for debian installs, I tried it earlier on ubuntu 8.10 and it worked without any problems. As usual, back up your data first!

Assuming you’ve got mysql-server-5.0 installed (although if you don’t have the server installed at all it should still work), here are the steps to get 5.1.

First, you need to edit /etc/apt/sources.list and add the dotdeb repository. This is the line you need to add for Lenny, but just change it to Etch if you haven’t upgraded yet (see my earlier post if you want to know how to do that)

deb http://packages.dotdeb.org lenny all

Then, update…

apt-get update

And then install 5.1

apt-get install mysql-server-5.1

This should also install the dependancies: libmysqlclient16, mysql-client-5.1, and update mysql-common. If you already have 5.0 installed, this will also remove the server and client for it.

If you get a message saying that packages can’t be authenticated, it isn’t anything to worry about. Just select ‘y’ and continue. After the install is complete, you should have MySQL 5.1 installed with the most useful engines:

Server version: 5.1.32-0.dotdeb.0 (Debian)

You can also use the dotdeb repositories to upgrade to the latest versions of apache, and php.

It’s probably worth reading this guide on apt pinning, which is the best way to maintain a system using repositories with different versions of the same packages.

Bookmark It

I finally decided to take the plunge and upgrade a few of my Etch servers to Lenny, and the process was a lot less painful than I was expecting.

These are basically the steps from the official manual, but I cant guarantee that your system will upgrade as easily as mine – as always when  upgrading you should backup your data and be prepared for the worst.

Usually I prefer apt-get over aptitude, but the official documentation recommends aptitude to do the upgrade, so heres what you need to do (as root)

First, edit /etc/apt/sources.list and change all mentions of etch to lenny. If you use vim, you can simply do the following:

vim /etc/apt/sources.list
(then, in vim)
:%s/etch/lenny/g
:wq

Then update…

aptitude update

At this point, you might receive the following error (I did on every server I upgraded)

W: There is no public key available for the following key IDs:
4D270D06F42584E6

W: You may want to run apt-get update to correct these problems

To fix this, you need to install the following:

aptitude install debian-archive-keyring
aptitude update

Now you’re ready to do the upgrade. The safest way to do this is in 3 parts

aptitude install aptitude
(updating apt first is a safe way of doing things)
aptitude upgrade
(when this finishes)
aptitude dist-upgrade

When this has finished, your system is upgraded to Lenny! All you need to do now is reboot, and hopefully the system will come back up and be running Lenny.

Bookmark It

My main reason for posting this is completeness (so I’ve got guides for everything you need for a basic hosting server here), not because it’s difficult to do.

Getting mysql server installed and running is simple to do:

apt-get install mysql-server

Once this is done, you will probably want to set the root password, or add an admin user:

mysql
grant all privileges on *.* to ‘username’@'host’ identified by ‘password’ with grant option;

Obviously use your own username, host, and password. To allow connections from any host, you can use ‘%’

Next, I usually change the config so MySQL is listening on all available IP addresses (instead of just localhost). This is done by commenting out the ‘bind-address’ line in /etc/mysql/my.cnf and restarting the server:

/etc/init.d/mysql restart

That’s it, you’ve now got a working MySQL server.

Bookmark It

This guide assumes that you’ve already got a server running either debian or ubuntu, and you want to make it serve web pages.

First, install apache2, php, and some other useful modules

apt-get install apache2 libapache2-mod-php5 php5-cli php5-curl php5-gd php5-imap php5-common php5-mysql

That’s it, you should now be able to browse to http://localhost and see the default apache page!

By default, the webroot is /var/www/ but if you’re planning to host a domain you’ll probably want to point it somewhere else. This is how you configure apache to listen for the domain www.example.com and set the webroot as /home/www/www.example.com/ (it’s assumed that you’ve already got an A record in the sites DNS pointing to this server)

/etc/init.d apache2 stop

Then create the apache zone file in /etc/apache2/sites-available/www.example.com/ with the following content:

<VirtualHost x.x.x.x:80>
ServerAdmin me@example.com
DocumentRoot /home/www/www.example.com
ServerName www.example.com
ErrorLog /var/log/apache2/error_log
CustomLog /var/log/apache2/access_log combined
EnableSendfile Off
EnableMMap Off
</VirtualHost>

Replacing x.x.x.x with your servers IP address.

Next, you need to enable the site, and start apache.

a2ensite www.example.com
/etc/init.d/apache2 start

That’s it!

Bookmark It

This is little bit later than I originally intended but I finally got around to setting up OpenVPN, and here’s how I did it.

This guide is pretty simple to follow and should have an OpenVPN server on debian or ubuntu working within half an hour. I’ll also explain how to connect to the VPN from a windows PC.

First, install OpenVPN on the server (you’ll need to be root for all of this guide)

apt-get install openvpn

Next, we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server. In this guide I will use tap because I find that it works better with windows clients.

Now you need to create certificates for the server and client for authentication purposes (which is much more secure than the passwords used in pptp). This is done through a number of steps:

Preparing to generate the keys

mkdir /etc/openvpn/easy-rsa
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Now you need to edit /etc/openvpn/easy-rsa/vars with your required settings. You only really need to change the last section which is the default values for the fields in the certificates.

Generate the certificate authority (CA) which will be used to sign the server and client certificates.

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

Next, we need to create the server keys

./build-key-server servername

Answer ‘yes’ when asked to sign the certificate and commit to the database, and then you’ll need to generate the diffie-hellman parameters which are used for key exchange between the client and server.

./build-dh

And finally, create some client keys which will be used to allow clients to authenticate with the server. I prefer to use pkcs12 which stores the client public key and certificate in one passworded file.

./build-key-pkcs12 client1

As before, sign the key and commit to the database. You will be asked for a password which the client will use to connect to the server.

Now all the keys are created, we need to configure the server.

vim /etc/openvpn/server.conf
(add the following lines)
port 443
proto tcp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/servername.crt
key /etc/openvpn/easy-rsa/keys/servername.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.1.0.1 255.255.255.0 10.1.0.236 10.1.0.245
push “route 10.0.0.0 255.0.0.0″
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

The only lines which you will need to change are ‘server-bridge’, which is simply the default gateway, subnet mask, and the start and end IP’s to assign the clients, and the push route, which pushes specific routes to all clients.

Now we need to create an ethernet bridge. First, we need to install bridge-utils:

apt-get install bridge-utils

Rather than explain how to set up a network bridge, I found a shell script which will do it for you. This can be found here. Just edit this with your network settings and execute it. You will also need to set it to create the bridge at boot time:

update-rc.d bridge defaults

Now you can start the openvpn server

/etc/init.d/openvpn start

Now we need to set up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters

client
dev tap
proto tcp
remote x.x.x.x 443 # (replace with your server IP)
resolv-retry infinite
nobind
pkcs12 client1.p12 # (replace with the client name)
ns-cert-type server
comp-lzo
verb 3

You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).

Now copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect. Everything should now work.

If you need to create any clients in the future, do the following:

cd /etc/openvpn/easy-rsa
source ./vars
./build-key-pkcs12 clientx

If one of your certificates is compromised, you can revoke it using the guide here.

This guide has been written from my notes and what I remember, so there may be a couple of things which aren’t 100% right. If anything goes wrong then post a comment or contact me and I’ll update the guide.

Bookmark It