Setting up an OpenSolaris root server at Hetzner

Several months ago I ordered a root server by the German hosting provider Hetzner called EQ4. It is quite powerful: an Intel Core i7-920 Quad-Core CPU, 8 GB RAM and two 750 GB HDDs for only 45,- €/month. Since they only provide several Linux flavors (openSuSE, Fedora, CentOS) at first glance I decided to use CentOS. I already some very good experiences with it a couple of years ago. The installation process was very easy.

After a couple of months without much time to fiddle with the server it just sat there in its rack and got bored.

After the very inspiring NoSQL meeting in Berlin last Thrusday I decided to spend some time with my server installing Erlang, CouchDB and nginx as a reverse proxy to do authentication and SSL stuff.

Installing the software packages went very well. Some of them I grabbed via yam others I installed from source. Connecting to my system via a ssh session worked very well but there was a very strange iptables setup in the CentOS installation which drove me crazy. I could not reach the proxy from outside and after several hours I decided to try a reinstall. At Hetzner one can reboot the server in a so called rescue mode. This mode can be of course Linux, but also FreeBSD and OpenSolaris. Digging a little further I discovered a site in the Hetzner wiki describing how to install OpenSolaris through this rescue system.

I used JollyFastVNC to establish a VNC session to the rescue system and used the graphical OpenSolaris installer to install it on the first HDD. After installation I used my directions from an earlier post to create a ZFS mirror using both HDDs.

This is my hardware configuration discovered by OpenSolaris:

# prtdiag -v
System Configuration: MSI MS-7522
BIOS Configuration: American Megatrends Inc. V8.2 04/20/2009

==== Processor Sockets ====================================

Version                          Location Tag
-------------------------------- --------------------------
Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz CPU 1

==== Memory Device Sockets ================================

Type        Status Set Device Locator      Bank Locator
----------- ------ --- ------------------- ----------------
other       in use 0   DIMM0               BANK0
other       in use 0   DIMM1               BANK1
other       in use 0   DIMM2               BANK2
other       empty  0   DIMM3               BANK3
other       in use 0   DIMM4               BANK4
other       empty  0   DIMM5               BANK5
FLASH       in use 0                        

==== On-Board Devices =====================================

==== Upgradeable Slots ====================================

ID  Status    Type             Description
--- --------- ---------------- ----------------------------
1   available PCI              PCI1
2   available PCI Express      PCIE2
3   available PCI Express      PCIE3
4   available PCI Express      PCIE4

Next I used the CouchDB directions in the Joyent Wiki to install the entire required software stack from source. After some fiddling with directory write permissions I had my CouchDB system up and running.

To install nginx I used the official site. I wanted to have a password authentication on my site. Since nginx doesn’t come with htpasswd I used it on my Mac:

$ htpasswd -nbd user password
user:TYVlO9aeSogv6

I copied the output line into the file /etc/nginx/htpasswd on my server.

To create a self signed certificate in the folder /etc/nginx I used the following commands:

# openssl req -new -nodes -keyout selfsigned.key -out selfsigned.csr
Generating a 1024 bit RSA private key
............................................................................................................................++++++
........................++++++
writing new private key to 'selfsigned.key'
...
# openssl x509 -req -days 1095 -in selfsigned.csr -signkey selfsigned.key -out selfsigned.crt
Signature ok
...
Getting Private key

My nginx setup file contents are:

#/etc/nginx/nginx.conf

#user  nobody;
worker_processes  2;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] $request '
    #                  '"$status" $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
                auth_basic "Restricted";
                auth_basic_user_file /etc/nginx/htpasswd;
                rewrite /couchdb/(.*) /$1 break;
                proxy_pass http://localhost:5984;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

    #
    # HTTPS server
    #
    server {
        listen       443;
        server_name  localhost;

        ssl                  on;
        ssl_certificate      /etc/nginx/selfsigned.crt;
        ssl_certificate_key  /etc/nginx/selfsigned.key;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
                auth_basic "Restricted";
                auth_basic_user_file /etc/nginx/htpasswd;
                rewrite /couchdb/(.*) /$1 break;
                proxy_pass http://localhost:5984;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

Now when I open http://my.secret.server.ipaddress/ I can log in with the created user credentials stored in htpasswd and get the warm CouchDB welcome message: ‘{“couchdb”:”Welcome”,”version”:”0.10.0″}’. I can also use the secure entry at https://my.secret.server.ipaddress/.

After every successful step I made a ZFS snapshot which is the greatest feature I can use now. By the way: a nice ZFS cheat sheet can be found here.

I don’t know why it worked so well with OpenSolaris and I had so many problems with CentOS. Maybe my system is now wide open and completely insecure, but this way I like it much better because now I can close all the open doors step by step and make it more secure.

Next I will move my domain also to Hetzner and let it point to my server. Then I will setup a mail server, maybe install some Ruby on Rails stuff (http://www.redmine.org/) and will write an Adobe Flex application for a customer which will rely completely on CouchDB #bliss.

Advertisements

2 thoughts on “Setting up an OpenSolaris root server at Hetzner

  1. from: http://dcdror.riaforge.org/blog/index.cfm/2009/10/9/Using-the-plugin-from-FlashBuilder4

    “Hi,
    thanks for your great tutorial. However I cannot get it running with RubyAMF instead of WebORB.
    Whenever I want to configure the service I get the following error on the rails console:

    Processing RubyamfController#gateway (for 127.0.0.1 at 2009-12-07 17:07:54) [POST]
    Sending data
    Completed in 68ms (View: 1, DB: 0) | 200 OK [http://localhost/rubyamf/gateway]
    >>>>>>>> RubyAMF >>>>>>>>> # took: 0.00010 secs
    uninitialized constant FBIntrospectionServiceController
    ….

    Where can I get this FBIntrospectionServiceController?

    Thanks in advance,
    Markus”

    I am in the same situation did you find any way to get it to work ?
    I got it to work with weborb fine but not for nested resouces …

    Best regards Brett

    • Hi Brett,
      RubyAMF does not work with DCD. Got this mail from Gaurav:

      Hi,
      Currently this plugin does not support RubyAMF. The main reason is that it RubyAMF allows only controllers to be exposed as services.

      Thanks,
      – Gaurav

      Tried it with WebORB, but the whole thing is quite immature. Switched back to RubyAMF and used it directly without the DCD-stuff.
      Maybe the final release will work better.
      Cheers,
      Markus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s